General question about security in KendoUI websites

2 posts, 0 answers
  1. Patrick
    Patrick avatar
    34 posts
    Member since:
    Oct 2011

    Posted 14 Apr 2012 Link to this post

    Apologies if this is a silly question, but one concern I have about KendoUI websites (and client side binding generally) is that if a grid binds client side to json data, then the entire data source (or at least the entire results of the query returning Json) is visible to anyone in the web page that is returned, simply by doing view source for that page.

    That may be ok for publicly available data, such as Twitter feeds, or movie databases, or products from a company website (where all the products can be viewed), but for financial, social or medical applications where users may have personal data, it would violate security and data protection for the entire query result set to be visible in a web page via json. 

    So please would Telerik and or the KendoUI tema comment on when you feel that client binding is acceptable and when it is not?
    (Comments from anyone else re this are welcome too!)

    Many thanks

  2. Alex Gyoshev
    Alex Gyoshev avatar
    2515 posts

    Posted 16 Apr 2012 Link to this post

    Hello Patrick,

    How is the client-side binding different from the server-side binding in terms of security? They are different means to achieve the same goal, getting the data to the users. Controlling who has access to the data is left to the developer in both cases -- if you show sensitive information by server-side binding, it is just as good as showing in through a client-side one. Case in point, the Facebook graph API is accessed mostly client-side, and still it controls whether you have access to the personal data that you provide -- you cannot query all the data about a person who is visiting your website.

    Kind regards,
    Alex Gyoshev
    the Telerik team
    Join us on our journey to create the world's most complete HTML 5 UI Framework - download Kendo UI now!
Back to Top