How to secure all JSON requests and responses in angularjs and rails …?

Question

I have build an application using rails and angularjs. When i am trying to access the data form db using rails through json requests,it shows all the response data in console. It may cause security problem. So is there any route to not display data in console..?

Answer 1

JSON stands for JavaScript Object Notation. Javascript that runs on a web page, runs on the client side.

This means that any code that you write in JS and send down the connection, can be edited and manipulated by a client. This also applies to JSON.

There is no way to stop the client from seeing restricted data if you send it to them. What you should be thinking about it why you're doing that.

You should only send a client sensitive information that they should have the right to see (eg only their bank account details, not everyone's). You can authenticate and authorise users to make sure this is the case.

You could also consider having some AJAX-based system that sends only parts of the sensitive data at a time, so that it is not disclosed in its entirety in one request.

Edit

I just re-read your question.

The response from rails after a User creation should have a custom as_json method on the model that sends the JSON for that user excluding sensitive information. For example:

def as_json(options = nil)
    defaults = { methods: :status, except: [:created_at, :updated_at, :password, :password_confirmation] }
    defaults.merge! options if options
    super defaults
  end

And in the response, call

@user.to_json