Is JavaScript Secure?
Get introduced to JavaScript and learn how secure it is as a programming language.
We'll cover the following
Web 1.0
Since its introduction on December 4, 1995, JavaScript (JS) has become a fundamental part of how users interact with the web. Before the launch of the beloved scripting language, websites completely lacked the ability to dynamically change the contents of a web page after it was loaded in the browser; the web pages were “static.” What the user saw was what the user got.
The web had very little in terms of interactivity at all. HTML 1.0, released in 1993, didn’t even have form
tags! The best we could do then was use a
tags to jump from one static page to another. Essentially, the web was a virtual library that users could navigate to read information. Today, this era of the web is known as Web 1.0.
The Space Jam website from 1996 is a living example of what the web looked like during the read-only days of Web 1.0.
Web 2.0
JavaScript helped pave the way for the next phase of the web, sometimes called Web 2.0. A vital characteristic of this new era was that web pages could display dynamic content that was reactive to user input. The release of JavaScript also occurred just after the release of HTML 2.0, which introduced inputs and forms. Websites could change based on how users clicked, hovered, scrolled, and entered data. The read-only days of Web 1.0 were over, and web security immediately and fundamentally changed. Users could submit their data and have it persist on a server. Other users could then see and interact with that same data later. Suddenly, web application developers had to think of all the possible ways that potential attackers could utilize these new capabilities to cause harm.
ECMAScript and the browser
Brendan Eich, the creator of JavaScript, designed the language in just ten days while working at Netscape! A feature-rich programming language developed with user interactivity in mind, yet written in such a short amount of time, must be laden with security holes and vulnerabilities, right?
Before attempting to answer this question, it is essential to remember that the same solid security principles apply no matter the programming language. Versioning also allows programming languages and browsers to make revisions over time to address previous shortcomings.
In November 1996, Netscape created Ecma International, a nonprofit organization meant to standardize the advancement of JavaScript across browsers and servers. This JavaScript standard is called ECMAScript. As of 2023, 13 versions of ECMAScript have been released. Each version gave developers an opportunity to improve the language by adding new functionality and addressing security vulnerabilities. For example, ECMAScript 5 introduced strict mode, which made it easier to write secure JavaScript. Similarly, there have been five major versions of HTML since its inception in 1993.
Also, these days, browsers often automatically update in the background to quickly introduce new features and patch security vulnerabilities. However, this was certainly not always the case. During the Web 1.0 days of Internet Explorer (the web browser developed by Microsoft in 1995 until being officially replaced by Edge in 2022), it was a much more laborious process to update a browser. Users often simply didn’t update, preventing them from accessing the features of a more contemporary web browser. Compare this experience to that of the modern-day Google Chrome user who has no idea which browser version they are running because it constantly just automatically updates for them.
However, with every new feature that each HTML, ECMAScript, and browser iteration introduces, there will always be potential for new security vulnerabilities as well.
So, is JavaScript secure?
Like many questions, we can't answer this one without additional context. How has the JavaScript in question been used? What browser is it running in? What version of ECMAScript/HTML is the browser running? Is it being run on a server or client side?
Regardless, we can build safer JavaScript applications by familiarizing ourselves with common vulnerabilities, attacks, and prevention, understanding how to limit sensitive data exposure and learning how to work with HTTP and APIs safely.