How to protect sensitive data when using jQuery, AJAX and web services

We have quite a unique database, we have been putting it together for over 12 months and I wonder wha the common techniques and processes are to protect this data when using web services and AJAX.

We are using .NET 4.0, jQuery 1.6 and C# for web services.

I wonder what are the best techniques to protect your code and database from stealing data.

1. How do I make sure that database replies with records only to requests from our page?

• Is it possible to block requests from external JS and Aja开发者_StackOverflowx requests?
• Do we need to generate some session with hash with secret key, so only we know whether hash is valid
• we need to stop robots from going through all the <select> in html filter combinations, we can't afford someone to develop robot which will automatically read all combinations and save results to database

2. What is the best way to minify and confuscate JS code, to make it as difficult as possible for others to decode?

Thank you.

1. How do I make sure that database replies with records only to requests from our page?

Is it possible to block requests from external JS and Ajax requests?

Yes, look at the request referrer (Request.URLReferrer.Host.ToString). If it's not your page, don't accept the request.

Do we need to generate some session with hash with secret key, so only we know whether hash is valid

No harm in that. It's easier to use a cookie. No cookie = redirect to login page. The cookie value is a random key anyway.

we need to stop robots from going through all the in html filter combinations, we can't afford someone to develop robot which will automatically read all combinations and save results to database

Put this behind the login. This doesn't stop someone with a bot and a login though.

What is the best way to minify and confuscate JS code, to make it as difficult as possible for others to decode ?

There is no point in doing so. It all has to be decoded to execute, and the code to do that needs to be included with YOUR code.

In general: If you don't want people to steal it, don't put it on the WWW.

I am not sure if the referrer or cookies can protect you from sophisticated bots (http referrer spoofing more info), I might add the cross domain querying with ajax

I would say

• add authentication to your web site (spring security)
• You can also add end point security on your web service
• I had done some thing like expiring token on one of my projects, when the user authenticates user gets a token which expires at certain time