The Security of the Empty Client Model: In contract with AJAX
The benefits of AJAX are undisputed, in particular the techniques that empowered the Web 2.0 experience. AJAX, however, has not achieved a penetration rate that is even close to that of the enterprises. In fact, only 1% of newly built enterprise web applications utilize major AJAX infrastructures
The benefits of AJAX are undisputed, in particular the techniques that empowered the Web 2.0 experience. This helped make AJAX very popular among mainstream webprogramming because it offered a richer web UI and more fluid page transitions. Today, approximately 60% of all newly built websites use some AJAX components. AJAX, however, has not achieved a penetration rate that is even close to that of the enterprises. In fact, only 1% of newly built enterprise web applications utilize major AJAX infrastructures.
Analysts believe that one of the main reasons for the low penetration rates into enterprise applications is the security complications that traditional AJAX creates. A traditional Web 2.0 AJAX application creates scatter calls to the server instead of the centralized one of Web 1.0. "Not only does this scattering of AJAX calls make it difficult for developers to handle, but also tends to induce sloppy coding practices because these calls are hidden and not easily obvious," noted Shreeraj Shah in Top 10 Ajax Security Holes and Driving Factors. The increase in the application's endpoints also naturally raises the application's vulnerability, as more services between the client and the server open up.
So where does that leave us? Using today's technologies and, more specifically, .NET, we are offered many great solutions and methodologies to help us understand how and with which tools we can secure our applications. The most painful security challenges aren't in using standard protective solutions to secure our server's farm or in securing the messages sent between the client and the server. Those security tasks can be quickly and efficiently achieved by using today's firewall capabilities and other secured server's farm solutions, and by securing the transferred data using HTTPS, WCF and other great solutions.
The Empty Client Alternative: