Best way to secure AJAX requests in CI?

[eluser]Nick Husher[/eluser]
@Phil: I'm not sure I know what you mean. Spoofing an Ajax request ranges from trivially easy to tricky-but-doable without some serious consideration on the part of the developer.

@industrial: What exactly do you mean by secure? You have a few different security concerns related to Ajax requests, and each of them have different solutions and philosophical approaches.

Are you looking to secure the data you pass between the server and the client? I.e. are you planning to send sensitive data across the wire, that could potentially get sniffed off the network? If that's the case, pushing all your asynchronous requests into https is a good first step. HTTPS handles all the encryption transparently, the only downside is that you have to potentially deal with insecure content warnings if you don't do it correctly. You also need to make sure you're rigorous about cross-site scripting attacks, since anything available to one piece of your javascript is available to everything and the last thing you want is some injected code to snitch a password or user ID.

Are you looking to verify that actions taken via Ajax on behalf of a user are actually intended by the user? I'm talking about cross-site request forgery attacks here: if you expose a particular URL that causes a destructive action via ajax (i.e. editing or deletion), and aren't careful about making sure any request to this URL is made with the user's conscious consent, you'll end up with someone losing data by a malicious image tag or nasty form.

Are you looking to secure who has access to your Ajax API? In other words, do you want to exclude anything that isn't your client-side webapp access to your API? There are a few ways to do this, but all of them are tricky and have workarounds for the dedicated spoofer.