VPN Articles and News

How To Secure Javascript Code?

By Paul Liu
Wednesday, December 17th, 2014

Javascript is a popular scripting language that is mostly used for developing web applications and performing client side validations. Launched by Netscape in 1995, the language is also used for game development and server side programming. Javascript is a part of most modern browsers (except some lightweight browsers) and it allows web developers to develop lightweight cross-browser and cross-platform applications that run equally well on desktops and mobile devices. However, the language also has several security vulnerabilities in it that have been exploited by hackers and criminals to perform large scale security attacks. If your website or web application uses Javascript code, you can use the tips given below to secure the code and enhance the performance:

1) Prevent XSS Attacks

Cross site scripting attacks occur when hackers try to pass and execute malicious code (for instance, MySQL code) on web servers through form values. Some of the major security breaches in the last few years have relied on XSS so you need to adopt a very strong client side validation procedure to prevent a possibility of such attacks. Remember to strip the form values of all types of scripting code and unintended data (with the help of Javascript) before passing them to the web server.

2) Check Browsers

A lot of new features available in Javascript do not work on older browsers. If you are planning to use these features, do not forget to check the browser type and version (or features available in it) before executing such code. Since unsupported functions may lead to unpredictable behavior in old browsers, you should also provide an alternate version of code or use an exit clause while using such features. As far as possible, you should also avoid using redundant or browser specific features that may not work correctly on all browsers.

3) Third Party Code

There are hundreds of websites that offer free counters, timers and banner exchange scripts but if you are planning to use third party code, be ready to test it for thoroughly. Since third party scripts often run on a different web server or domain, it is very easy to introduce rogue pieces of code into them. Before using a third party script, you must test it thoroughly for performance, redirection and security.

4) File Uploads

If you permit file uploads on your website then you need to be extra careful since hackers often upload malicious files through forms which then execute and cause all sorts of security and performance problems on the web server. To prevent such a possibility, you should check the file extension and change the file permission after the upload is complete so that it cannot execute on its own.

5) Testing

Even if you have followed the best coding practices and secured your code to the best possible extent, you cannot predict how your script is going to behave unless you actually run it. Make sure to test your code on different browsers and mobile platforms so that you can get an accurate idea of whether it is working properly or not. Do not forget to use error handling to detect errors and specify how to deal with them.