Wednesday, 15 August 2012

security - Securing RESTful API: Is it possible to disallow XHR requests from the JS Console? -


My application (mostly client side code is written in spine) is a node. Interface with JS Server is the only purpose of my server to provide the end point of the API for my spinal cord application.

Receive The requests are quite secure, the attacker can not do too much but I have some post and put requests to update the vote count for a particular user. > PUT is responsible for one of the requests, e.g.

  app Input ('/ API / Vote', Function (Reich, Ridge)) {// Post-winning form from client, var winner Person = req.body.winner; // userID var losingPerson = Req.body.loser; // userID}   

I have noticed that some people were spamming the PUT request for a particular user via JS console or by some means by the user interface To disrupt the intent of the application being implemented, the REST API console, if you want to use this application because it does not allow you to vote for a single person several times in a row, Manma From the user of the user, you consider the database (assuming you own user id).

But yes, yes I know: " Do not believe in the client ". So how can I fix the above problem? Will the IP address probe help prevent multiple voting within 3-5 minute intervals? What can I do to allow the permission to access my API from the console so users can not vote arbitrarily for any person < / P>

P> The answer in your server should not be allowed to vote more often than once specified by the user. This is a business rule that you can apply only through the server because it is in your control. Applying any of the UIs is good and profitable, but there is no bullet proof, to be sure you have to check on the server.

The only purpose of my server is to provide API points for my spinal cord.

Do not try to control something beyond your control - Your application's client side voters more often because you (your API) allow them to do this. As soon as your server responds "Try it in 5 minutes, buddy" they will stop doing this or at least do so, there will be no harm.

No comments:

Post a Comment