假设你正在构建一个多步骤（5份）预订引擎有一个全面的后台，但有一层阿贾克斯，在那里你可以去通过所有5个步骤，在最初加载页面。具体的步骤是：

Let's say you were building a multi-step ( 5 part ) booking engine that had a fully working backend but had a layer of ajax, where you can go through all 5 steps in the initially loaded page. The steps would be:

我会假设你想保持一个 HTTPS 协议，整个网站的，我不太清楚，我需要进行加密或保护什么样的措施而我加载数据，并提交包含信用卡信息的形式Ajax调用。

I'd assume you'd want to keep the whole site on an https protocol, I'm not quite sure what types of measures I need for encrypting or securing ajax calls while I'm loading in data and submitting the form that contains the credit card information.

推荐答案

要你的服务器，AJAX请求是相同的常规HTTP / HTTPS请求。攻击者可以有目的地浏览任何AJAX网址，看到的结果。因此，主要的回答是：你会使用一个非AJAX网站上的任何安全机制，还必须加强对AJAX驱动的请求。这包括所有的身份验证和授权步骤prevent会话劫持，强迫浏览和CSRF。

To your server, AJAX requests are identical to regular HTTP/HTTPS requests. An attacker can purposefully browse to any AJAX URL and see the result. So, the primary answer is: any security mechanism you'd use for a non-AJAX website, you must also enforce on AJAX-driven requests. This includes all the authentication and authorization steps to prevent session hijacking, forceful browsing, and CSRF.

除此之外，与广泛使用JavaScript和AJAX你更容易受到JavaScript注入。封装和逃避JavaScript和JSON是不是标准的HTML麻烦。

Beyond that, with extensive use of JavaScript and AJAX you are more susceptible to JavaScript injection. Encapsulating and escaping JavaScript and JSON is trickier than standard HTML.

最后，还有几个XML驱动的攻击是谨慎使用基于XML的AJAX，尤其是亿元笑攻击和XML注入时。

Lastly, there are a few XML-driven attacks to be wary of when using XML based AJAX, notably the Billion Laughs Attack and XML injection.

在Web安全测试食谱对AJAX安全一章：

The Web Security Testing Cookbook has a chapter on securing AJAX:

http://books.google.com/books?id=VmrSJ3V-s_MC&lpg=PP1&dq=web%20security%20testing%20cookbook&pg=PA197#v=onepage&q=chapter%2010&f=false