Certificate pinning in Ajax calls

Question

I believe I already know the answer to this but I wanted to see if anyone had more insight into this problem. I have done certificate pinning in Android and iOS applications to make them more secure against man in the middle attacks. I am curious, can this same thing be done on a website which executes Ajax calls? I'm thinking not as the Javascript code could be modified during transport, has anyone had any experience with this?

Answer 1

You might be interested in this: http://caniuse.com/#search=HPKP . Modern browsers already have support for public key pinning.

Also great article about preventing man in the middle attacks (or them making harder to pull off - as it seems "preventing" in a security context has a relative meaning): http://blog.scottlogic.com/2016/02/01/man-in-the-middle.html

And if you're feeling adventurous you can go really low level with a native implementation of TLS in JavaScript: https://github.com/digitalbazaar/forge/blob/master/README.md