Protecting against JSON Hijacking

dey_santanu
Participant II

Please refer to this link http://stackoverflow.com/questions/2669690/why-doe...

It seems Google and Facebook prepend their cookie authenticated JSON API Payloads with

	for (;;);  

or

	while(1)

to avoid JSON Hijacking threat.

Is there an easy way to implement this in a blanket way in Apigee Edge? For example something like the CORS checkbox or a policy to take care of it.

Solved Solved
0 2 606
1 ACCEPTED SOLUTION

hello @santanu4g,

if you have a cookie authenticated JSON API, you could use AssignMessage policy in the PostFLow response to something like,

<Payload>while(1){response.content}</Payload>

right?

second, if you haven't seen this already - http://haacked.com/archive/2009/06/25/json-hijacki...

lists when you actually need this, for eg, I think for APIs protected with OAuth this may not be needed and similarly there could be other ways how you could avoid this based on your security scheme

Thanks,

View solution in original post

2 REPLIES 2

hello @santanu4g,

if you have a cookie authenticated JSON API, you could use AssignMessage policy in the PostFLow response to something like,

<Payload>while(1){response.content}</Payload>

right?

second, if you haven't seen this already - http://haacked.com/archive/2009/06/25/json-hijacki...

lists when you actually need this, for eg, I think for APIs protected with OAuth this may not be needed and similarly there could be other ways how you could avoid this based on your security scheme

Thanks,

For OAuth APIs this is not needed. Like I said, this is only for APIs that are directly consumed by browsers. Assign Message policy is good for this case. I was curious if this would be added as a feature, like CORS.