Using the dynamic features of Ajax coding for a web-based application can also be a secure experience for users.
• Dynamic Ajax client download – Ajax client code is downloaded on demand from the trusted server after a particular user logs-in, automatically ensuring client and server versions are in-sync
• No persistent client caching – An exposure with traditional web clients is that they cache HTML pages that can include user/application data on the client disk during normal operation. This can be a security vulnerability for access from public kiosks or other shared computers.
• Server-side control of intranet and Internet mash-ups – Zimlets and other Ajax mash-ups are precluded from accessing arbitrary services on the Internet (unless they open a new iFrame, which can be determined at server deployment time), and must instead (like Java applets) make all invocations back to the originating server (in our case, the Zimbra server).
“This means the Ajax server can act as a secure, proxy gateway for accessing intranet applications, and can govern which external web services (if any) are accessible for mash-up within the Ajax client,” wrote Dietzen.
Securing an Ajax application depends on the underlying web technologies. If those are secure, the application can be rendered more securely too.
Developers who are not working with an open source application may be concerned about exposure of their application source code. Dietzen noted that since source code for the application gets downloaded to the browser, others could obtain it.
That situation can be avoided by limiting logins to trusted users or partners, or by invoking the algorithms for the application via web services without sending the code to the client browser.
Requiring other methods in connecting to the application can further enhance security. VPN tunnels and smartcards among others can serve the purpose here, according to Dietzen.
—
Add to 
Bookmark Murdok: 
David Utter is a staff writer for Murdok covering technology and business.
