How secure is JSON data?


#1

Let’s suppose I am building a HTML5 application that uses Dreamfactory’s authentication to login securely to access my backend services. Then at some point, I decide to create a page in the app with a datagrid that queries the backend for some sensitive data (i.e employee names and their social security information).
How do I secure that JSON data stream when the backend API is called?


#2

If you’re using the API to build a data grid of the sensitive data, there’s no reason to hide it.
However, if you have fields you don’t need in the grid that are sensitive, use the fields=“list of fields” param in your request and leave those fields out.
Alternatively, you could use server side scripting to weed out the data you don’t want the client to see in the scripting section of the admin panel. Https will encrypt all data on the wire as well.


#3

Jason,

Thanks for your quick reply. However, I’m trying to show all sensitive information in the datagrid without having the data being intercepted over http. Is this possible?


#4

You need to use https. The html representing the data grid is just as sensitive as the json used to build it.

We do have a roles section dedicated to securing your data , why not use a role , behind authentication?

In that scenario someone would have to be logged in, with their account in a role with access.


#5

Does the HTML5 application have to live on the Dreamfactory instance for this to work?


#6

No, not at all. https://github.com/dreamfactorysoftware/dsp-core/wiki/Roles