On the Internet, security is overrated. Every third site you visit talks about it. But still, not many sites take steps to implement it. This has been the complaint of people all these years and is still true today. Unless it is a site that is dealing with financial transactions, most interfaces provided by these sites are non-secure and prone to client side attacks. I believe it is a false assumption that unless your site is processing a credit card payments, it doesn’t need security. Security is not just about protecting ‘monetary transactions’. It is more than that, it involves protecting your computational resources (bandwidth, CPU usage), intellectual resources (JS files, web services) and of course, the services that the site is providing (like acting as a SMS gateway).
In this post I take a look at some ridiculously simple security blunders committed by popular sites. These might not always be critical but provide an interesting insight into the design quality metrics followed at these companies.
The easiest way to thwart leechers is to deny access to the scripts unless you are logged on. That would take care of direct linking (protecting computational resources). But there’s no easy solution if someone just copies the files off the server and hosts them on his website (protecting intellectual resources). What do you do then? Probably obfuscate the code enough so that he never knows what file he has to copy. Yahoo mail does an excellent job of the obfuscation. Even their images are protected (in a loose way) by referring them through their MD5 hashes; enough to deter a casual hacker.
While designing any API, there is a golden rule that has to be followed… `</p>
All input is evil