In the rush to add fun effects to our sites through javascript and other programming tricks, it’s important to know just how this affects the overall security of your site and server. Most people don’t realize that while javascript allows fun stuff like Windows style effects (lightbox on images, drag and drop stuff, areas opening and closing on your site without page reload, etc.)–that this same functionality also gives the user more power and ability to alter how your site works. Allowing the web browser to do programming level actions means that the end user, i.e. Hacker, now has more information about how your site works since variables and other programming information has to be exchanged between the web browser and the web server. In general javascript opens the most holes in security for any website, and the over reliance on it makes it almost impossible to be totally secure. Nasty things like Cross Site Scripting (XSS) attacks, and other methods to grab cookie or session authentication data all occur due to the loose way that javascript was designed.(this is usually how Hackers get your admin login or are able to log into your admin area)

So remember next time that you really want some flashy effects for you site–ask yourself, is this functional or just an effect? Remember, in 1997 flashing text was considered really cool, as was scrolling text….do they seem so cool now? The content is really what has value–flashy stuff may seem crappy later and only made it more likely that you see “I Haxored J00” at the top of your website.

For some more reading on this subject check out Arstechnica.