Is it recommendable to make a security system for a bank with JavaScript?
Paul Weinstock

If you are asking whether it's safe to use JavaScript in a secure application, but for non-security purposes, then yes, as long as your follow the usual security guidelines to prevent attacks like cross-site scripting, cross-domain forgery, etc. That is, if you wanted to provide your users with a rich text editor written in JavaScript, that could be done so that no security is compromised.

If the question is whether you can rely on JavaScript for security purposes, it depends on what you are trying to accomplish.

For example, client-side input validation should definitely be considered as a convenience or optimization, so no extra request to the server is made in case an honest mistake is made (e.g. wrong card type, empty field, etc) and absolutely must be backed up by server-side validation.

A good example where client-side JavaScript is actually quite helpful is user authentication, which makes it possible to avoid submitting a password in clear text. For example, a web site could generate a random number (call it a challenge), store it in a session and send the challenge to the client browser in a hidden form field. The challenge is not a secret and is only used to prevent replay attacks. Once the user enters their password, the password is hashed (e.g. using HMAC-SHA1) by client-side JavaScript, along with the challenge and the resulting sequence of hex- or base64-encoded bytes is sent to the web server, which does the same with its copy of the password and the challenge. Under this scenario the password never leaves the browser, so if SSL is compromised, the password still remains secure.

Andre