Answer

In my php code, some strings will contain sensitive data

Yes, users can see what the server responds with if they try. BUT, if you sensitive data is in PHP code and is never part of the response they’ll not be able to see it.

Although, never put sensitive information in the source either because anyone who has access to your source code in PHP will be able to have that information. A creepy web hosting company can theoretically do that if they want.

Tip

Since you are starting out I would like to mention you should use jQuery to do your Ajax stuff.

Attempt to explain Ajax

When you make an Ajax call you send a request using the HTTP protocol after the page load. JavaScript makes the request, receives a response and makes changes to the HTML DOM that’s loaded in the browser without a refresh.

Requests: Ajax function --(HTTP(S))--> SERVER --(HTTP(S))--> Ajax function

Action: Ajax function --> interpret response and manipulate DOM accordingly

So in other words, it’s just like a request made by the browser in terms of protocol, just that it’s a Ajax function doing it. So whatever applied to these requests from the browser applies here too.

Typically the response is a JSON string since that’s easy for the Ajax function to interpret as it’s JavaScript.