I am building an ASP.NET web application that has numerous forms for public users to sign up and enter in data to be saved into a database. I’ve always wanted to dig a little deeper into true AJAX so I have writing many of the transactions as RESTful WCF web services. Transactions like new user registration, user login and simple form submissions are all done via AJAX.

Upon a code review a team member objected to this approach on the basis that,

“it is less secure than full postbacks because .NET has ‘security measures’ like ViewState to prevent abusive clients from hammering the server.”

• Does this argument have merit?
• How much more am I exposing my application to abuse by using RESTful web services than If I used full postbacks?

I’m not necessarily looking for .NET, WCF or even ViewState specific responses though those will certainly be more relevant to my particular situation. I am looking for answers that address the technical approaches themselves – not the implementations of them. A web service that can modify any user account without validating the authorization is obviously a bad implementation. A “full postback” page can have an equally poor implementation. Therefore this argument would be neither here nor there.

Is there anything inherent to RESTful web services (or web services in general) that make them more insecure than a traditional .net postback?