Welcome to the Treehouse Community
Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.
Looking to learn something new?
Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.
Start your free trialAaron Selonke
10,323 PointsForm security
This form will check if the password strings match on the users computer with JavaScript before sending the data up to the server.
I know that Andrew example is to learn jQuery and is not focused on security, but I have two questions about this example
1) Is it secure to handle these password strings inside the browser with JavaScript? 2) If not, how could someone intercept the information on the form? 3) What is the most secure way to handle information on forms?
2 Answers
Kevin Korte
28,149 PointsFortunately, this is only for better UX. You should never try to validate form data with jquery or javascript on the client side, without also checking it on the server side.
Jquery validation really is just to give the user a heads up that their form won't submit before they submit it.
So because of that, yes, this is perfectly safe, because the data hasn't left the users computer yet. It hasn't traveled across the internet, and so handling the password this way is fine. You're not exposing their data to any risk. If their computer was compromised with a key logger, or something to that effect, than just them merely typing their password exposes their password, but that's not your fault, nor can you try to detect an infected users computer.
The moment they hit submit, is when their data could be exposed. This is where we use SSL certificates. Look at your browser URL bar, you'll see that this site has some sort of lock icon, showing it has a valid SSL certificate. Now truthfully, I don't understand how SSL certificates work under the hood, and I don't really need to. I know how to install them, and buy them, and that's all I care about. But a good SSL certificate from a reputable supplier will encrypt and protect the data in transit from your client to your server or back again, preventing plain text interception. SSL is going to encrypt the data in transit for you, and it will decrypt it on the server, which is why you have to install the SSL certificate on the server, it's the key it uses to undo the encryption so you can than with the data in plain text again.
SSL installed is the "standard" for dealing with form data. If you were super concerned about security, I'm sure there are other things that can be done, but at that point you'd probably be or be working with highly experienced security experts that don't really talk about the ins and outs freely. SSL is for most all sites, enough security. It's all services like Stripe require to protect user payment information when you send it to stripes servers.
Gari Merrifield
9,598 PointsI would add, that using POST with your SSL forms would be the more secure choice. Using GET puts the form data in your URL string, which would be intercepted by a proxy server. Many large networks use proxy servers to control where users are allowed to go, and to cache certain requests to reduce bandwidth usage.
Using GET could also leave the form data hanging around in your browser history, and that could be abused at a later time by malware, or someone that obtained physical access to the computer.
Just my two cents...