Front-End Encryption

When you send form data to the server.
Do you send the data as it without encryption to your server? or do you encrypt them?

It depends upon the nature of the data, but if the data could be considered sensitive, then you will want to use encryption.

Any suggestion what to use to encrypt or do you write a custom encyption?

You don’t write it yourself, no, and you generally aren’t going to encrypt the form data, though that’s completely dependent on use case

Just to be clear, there are different levels of encryption. The easiest (and most secure) is using https:// over http://, which more or less means the data being transferred over internet is encrypted and managed by the server and browser together. (ref) This sort of encryption will protect you against someone “reading” your data between the browser and server. (ref)

Now if your concerned with something like encrypting your network calls so the client can’t see it (via dev-tools or otherwise), your left with encrypting data on the client-side, which isn’t secure as any encryption code is already exposed to the client as-is. This means anyone with enough determination can find how you encrypt your network data, and reverse engineer it so it could be argued you would make things more complex for minimal, if any security.

So focus on making sure your site/form is secured with https:// and let the browser and server do the security work for you as its more or less built in :slight_smile:

2 Likes

Never, ever, under any circumstances roll your own encryption for real world applications.

There are too many ways encryption can go wrong.

1 Like

I see!!! Thanks for this awesome reply!!
I am a bit confuse with the whole HTTP and HTTPS part.

I understand Front-End and back-End individually and have success building a Full Stack authentication system. My issue is that I am not too sure how HTTP and HTTPs plays a part in the whole full stack eco-system along with security thing.

Currently, I am using a package called “cors” to bypass cors issues. I don’t know if this is what I am suppose to do since I don’t know much about HTTP Headers.

Am I missing something?
I think I am…

I recommend reading more about network security in general as there are multiple levels of security you would want to consider for any production grade app. Just adding a middleware (like cors) doesn’t magically make your app secure. Another way to think about it is you should be able to determine how every part of your app is secure as attacks could come from every level.

For example, did you consider that the data being entered on your form could be compromised, or be used as an attack vector via ACE (Arbitrary code execution) once its submitted to the backend? Or did you consider if your front-end is secure against XSS (cross site scripting)?

There are tons of things to consider, making almost any programming decision also a security one. This is why I believe all developers should also learn security, as knowing how to build something isn’t enough, you need to know how to secure what you build.

So basically if you are asking “Am I missing something” you are, but finding out what is just the start, as you need to understand what your missing (security wise) and be able to implement security to protect against it.

Good luck!

1 Like

In my own opinion, I think HTTPS protocols uses SSL (secure sockets layer) certificate , which helps create a secure encrypted connection between the server and the browser. (I stand to be corrected)