Thank you Joe7 and Kyatric for your answer! :)
Yes, I thought about mixing your 2 solutions (CB hash & https) because I'm looking the way to protect the username, hash session of player and score.
But I'm still care about the fact the player (called hacker) could find a way to make some ajax call from javascript console (like firebug or chrome console or anothers tools) by finding my C2 javascript function (even minified) to make the same CB Hash and call it to send a high score to server manually...
Just like EdgeWorld's game, there are some tools to hack that game even if EdgeWorld is in https mode... :(
I'm not expert and don't know very well https, but I saw that every JS Client application use that way even if post data is not encrypted (just like iCloud.com do)
Do you think https could prevent that kind of attack?