Summary

This chapter has shown that JavaScript security is not that very, well, secure. While there are ways of providing some amount of basic security by combining your scripting with HTML (e.g. "hiding" your password information within a frame), these techniques are dubious at best, and can be easily broken by someone with even a modicum of technical skill. Moreover, applications can be quickly written or downloaded (see Figure 18.5) that can locate "secure" password information within seconds. The best way, then, to think about JavaScript security is as an interim step to a more secure solution. For example, utilizing server-side security—where no sensitive password information is either passed to or otherwise stored on the client computer, is the far better option. Still, as was shown in this chapter, there are relatively secure methods for protecting your site via JavaScript. However, this should only be trusted for information that is not overly sensitive (i.e. not passwords to bank accounts!) and should again be seen as a deterrent but not as a full-proof method of blocking access.