Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
D
D
Dmitry Labutin2015-04-06 21:22:49
API
Dmitry Labutin, 2015-04-06 21:22:49

How to make unwanted REST API calls as difficult as possible?

Let's imagine that there is a service.
Web muzzle is very simple - input of parameters (2-3 parameters) and submit button. There is an AJAX request to the server and a JSON response with the calculation results.
The web muzzle is of no value. The most interesting thing is the way of calculations on the server.
With this approach, it is easy to write a clone of the muzzle and pull a ready-made foreign REST API and pass off the service as your own.
Actually the question is - how to complicate the life of such plagiarists?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

6 answer(s)
Report
N
Nikolai Markov, 2015-04-06
@manameiz

Well, it is obvious that by any means that are protected from bots, i.e. captcha for example

Report
N
Nikolai, 2015-04-06
@jaymecd

Captcha on the API will not help, they will not help much. Tokens to help you, see Json Web Tokens.

Report
L
lam0x86, 2015-04-06
@lam0x86

Why not check HTTP referer?

Report
R
Ruslan Kvashnin, 2015-04-07
@RussellKvashnin

There is a golden rule of system administration:
"Everything that is not allowed is prohibited."
I think the hint is understood.

Report
V
Vadim Shandrinov, 2015-04-07
@suguby

Give the generated cookie and some generated parameter to the face. Require the muzzle to return both a cookie and a form parameter. And store the parameter given to this form for this cookie and check what came from the form. The parameter and the cookie are completely unrelated hashes. Ktt.

Report
A
aleksey_k, 2015-07-11
@aleksey_k

What you write about is very similar to CSRF. There are several methods of protection against this, there are examples on the Internet. The simplest is the Referrer check, a little more difficult is to generate a CSRF token that will be sent along with the form and which the server will know. If the form fails when checking this token, then someone is cheating.
If you use AJAX, you will need to use a one-time token there, which will be updated when the server responds.

Similar questions
W
WolfInChains2020-06-10 12:19:26
How to get a list of id conversations in which the community is a member? 1Reply
S
Satisfied IT2018-05-23 13:17:26
Does 1C server have any api? 1Reply
R
Roman —2016-01-14 17:05:20
RESTful API and MVC - what is it? 3Reply
S
Stepan2016-01-14 23:11:14
Get a list of countries, by country states, by state cities? 1Reply
R
RusTorg2016-01-15 10:13:43
How to track the tweet send event via tweet-button? 0Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question