If you think your user addresses are really a secret, then yes, you probably should do some work:

XSS attacks

You need to be very careful in how you display user input. For example, if I say my name is <script>alert('hello world')</script> , are you really going to print this on a website? If so, you can embed your own JavaScript in your application. Here is an example of an XSS attack and Wikipedia has more information. If attackers can embed user JS, they can intercept the user's secret input, such as addresses, passwords or cookies.

Https

When your web server sends its message to the user, the message does not go directly to the user's computer. First, he passes through the intermediate computers in the relay. If attackers control one of the computers in the middle of a relay race, they can modify the server message and embed their own JS. Again, forwards win. To get around this, you will need HTTPS , which is a protocol that, by the way, encrypts the message. You will also need something called a certificate; StartSSL sells them at an affordable price.

Please note that the attacker does not have to be any corporation or government sitting for miles in order to control an intermediate computer. For example, someone might run Firebug on your unencrypted Wi-Fi network on a school campus.

But really

The best way to structure your web application is to never send the user address to your server in the first place. One of the first rules of information security is that it is difficult to obtain the right; the more you can rely on other people, the better. Instead, perhaps keep a fixed list of landmarks in your JS code. Or use the public API provided by a service such as Google Maps, which already works via HTTPS.