Secure Implementation of Asynchronous XHRs

I found this great tip via Google, and I am well familiar with the technique of populating divs via Javascript. What I'm wondering is, is this a secure way of requesting Asynchronous page content or not? If not, what would be a "secure" solution for partial page loading?

Thanks so much :开发者_JAVA技巧)

An Ajax call is a HTTP request.

The same security practices that are used for normal post and get applies to Ajax post and gets.

People freak out because I can see my Ajax call in Firebug and people can see the urls of the calls. Anyone can see your calls to backends with a simple proxy.

Only thing different is Ajax calls are more open to attack with XSS since people tend to shove whatever is in the response with innerHTML. Only way that really happens is if the server is compromised and sends down bad info or a man in a middle attack happens.

But when you look at it, the same thing can be injected with a normal get.

You should make sure you are still using authentication on the server for the Ajax backend calls, you should validate the data on the server, and add basic security checks on the client, and avoid eval() [use JSON.parse or JSON.js]

OWASP has some Ajax Security Guidelines.