[Secure AJAX for PHP] SAJA

How Secure is SAJA?

SAJA has two levels of security that you should be aware of. The first I call "function" level security, meaning that any functions you add to Saja's special ajax-callable files will be protected from the outside world. Only someone who has first visited your site will have the ability to call your server-side functions.

SAJA optionally uses RC4 encryption for the actual data that was provided by the end-user. RC4 is considered very secure, especially for infrequent small bursts of data. RC4 is a symmetric algorythm, meaning that the same method is used to decrypt as to encrypt the data. It also uses a shared public key, so the key used to encrypt is also the key used to decrypt.

SAJA should never be used as a replacement for HTTPS. It is meant only to provide a level of security that is better than standard HTTP. A determined hacker could potentially compromise any data sent by SAJA, although it would be much harder than intercepting non-encrypted data.

Function-Level Security

The function name is stored in a PHP session on your server. The function name is never sent to the end user, so only the owner of the session has the ability to execute that specific function.

Data-Level Security

The POST data from a SAJA request is encrypted using a JavaScript implementation of RC4. The only notable difference is that the key used to encrypt the data must be exposed to the end-user since the encryption is done on the client-side. This means that the data itself can only be considered secure as long as the intruder is not able to intercept the key itself before the client responds.