Not so much a programming language… I’m building a website with many jQuery Ajax calls, not just to load data but also to perform many actions in my website, including admin specific actions like attributing groups to users, block user access, etc…

I don’t do any user validation via js, my ajax requests get treated by PHP, so for all of these admin actions I firstly make sure that the user is in fact an admin (I check session/database information for this), I think this is the right way to go, but there is one thing that has been bugging me…

Consider this, my admin.php references an external .js file with all these Ajax calls, a common user doesn’t have access to the admin page, but they can very well navigate to my js folder and see my admin.php AJAX scripts, these scripts have of course sensitive information in the parameters, stuff like the URL, the type (POST/GET). I trust (to an extent of course, security is a big deal) my PHP code to secure my application, but it still kinda… grinds my gears… that people know my URLs and what type of calls I make.

Maybe I’m just paranoid, if my code is safe why should I care if people see this information? (although declaring something as SAFE in web development should be the definition of ‘cocky’), either way, this is what I considered:

• Not using external files on my admin pages, but it makes things not so well organized… I like to separate HTML from JS/PHP/etc
• Some sort of .htaccess-fu? Denying access to my js folder ultimately breaks functionality, so maybe someone out there has a better idea?
• Compressing my js files (with http://jscompress.com/ or similar), isn’t really a solution, but it makes things harder to read

Any input on this would be great.