0

just wondering if there could be any issue building a shopping cart using Backbone.js and more specifically if there were any security issues using hash-bangs over HTTPS?

Also I guess I can POST credit card details through AJAX, correct?

Cheers,

sebarmeli
  • 17,949
  • 7
  • 35
  • 40

1 Answers1

1

  1. You still need robots.txt to keep your urls from being indexed, even if you're using HTTPS. The #! (hashbang) as opposed to # (hash) provides a way to index sites by their url fragment. Instructions for disallowing are on the google page about indexing hashbang. In practice you likely won't have to worry about it because google's crawlers aren't authenticated and won't index an error. But if a Google Toolbar is installed the URLs with fragments may be sent to Google before Google determines that the URL+fragment will not be indexed. To simplify things, you could use # instead of #! after logging in; a # deep link will not be indexed.

  2. If a request is made through HTTPS, it's encrypted, whether it's AJAX or not. If your backbone model url starts with https://, it will either send it encrypted or fail. From a network eavesdropping perspective, it's the same as posting without AJAX.

Community
  • 1
  • 1
Benjamin Atkin
  • 14,071
  • 7
  • 61
  • 60
  • 1. ok for SEO, but not security issues using hashbangs, rights? – sebarmeli Aug 09 '11 at 22:31
  • 2. sweet, so I can build a whole shopping cart in AJAX without worrying about security – sebarmeli Aug 09 '11 at 22:32
  • The hashbang was invented because AJAX content pulled down using hash fragments isn't indexed. If you don't want it to be indexed, don't bother with the hashbang. If you want part of your site that uses hashbangs indexed, you can either figure out the robots.txt thing (probably you'll just need to list out paths, like `Disallow: /*_escaped_fragment_/projects` and `Disallow: /*_escaped_fragment_/people` if you want to keep /projects and /people from being indexed, or you can just trust that the Google Toolbar and similar won't be a problem unless you're using google-doc style secret URLs. – Benjamin Atkin Aug 09 '11 at 22:40
  • Google Doc-style secret URLs (google didn't invent it; just using it as an example) are URLs where the URL is secret but the content can be accessed without any authentication beyond the URL itself. These should be disallowed in robots.txt; otherwise Google Toolbar or similar might send an url to Google, and Google might pull down the content and index it. It can't do it if the URL requires cookie authentication before it can be retrieved. – Benjamin Atkin Aug 09 '11 at 22:43