Answer the question
In order to leave comments, you need to log in
How to make unwanted REST API calls as difficult as possible?
Let's imagine that there is a service.
Web muzzle is very simple - input of parameters (2-3 parameters) and submit button. There is an AJAX request to the server and a JSON response with the calculation results.
The web muzzle is of no value. The most interesting thing is the way of calculations on the server.
With this approach, it is easy to write a clone of the muzzle and pull a ready-made foreign REST API and pass off the service as your own.
Actually the question is - how to complicate the life of such plagiarists?
Answer the question
In order to leave comments, you need to log in
Well, it is obvious that by any means that are protected from bots, i.e. captcha for example
Captcha on the API will not help, they will not help much. Tokens to help you, see Json Web Tokens.
There is a golden rule of system administration:
"Everything that is not allowed is prohibited."
I think the hint is understood.
Give the generated cookie and some generated parameter to the face. Require the muzzle to return both a cookie and a form parameter. And store the parameter given to this form for this cookie and check what came from the form. The parameter and the cookie are completely unrelated hashes. Ktt.
What you write about is very similar to CSRF. There are several methods of protection against this, there are examples on the Internet. The simplest is the Referrer check, a little more difficult is to generate a CSRF token that will be sent along with the form and which the server will know. If the form fails when checking this token, then someone is cheating.
If you use AJAX, you will need to use a one-time token there, which will be updated when the server responds.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question