0

I'm loading a login form to conduct user verification. I was wondering if I could limit an endpoint in flask app to only respond to browser requests in which I previously loaded the form for.

I think CSRF token may be an option but I was wondering if there's a better way to do it.

I want to be able to forbid Postman, curl & other user agents from sending requests to a particular endpoint, unless it is from a browser with the UI login form.

Meysam
  • 596
  • 6
  • 12
  • 1
    Wouldn't this be prevented if you served a CSRF token with your form (see https://stackoverflow.com/questions/5207160/what-is-a-csrf-token-what-is-its-importance-and-how-does-it-work)? – snakecharmerb Apr 30 '19 at 10:45
  • thanks @snakecharmerb that was indeed my answer – Meysam Apr 30 '19 at 11:38

1 Answers1

1

You can determine user agent from request.user_agent attribute. E.g. in my case after accessing the Flask app using a Chrome browser, it has the following value:

{'browser': 'chrome',
 'language': None,
 'platform': 'linux',
 'string': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like '
           'Gecko) Chrome/71.0.3578.80 Safari/537.36',
 'version': '71.0.3578.80'}

However, keep in mind that changing the user agent to whatever you want is an easy task. Thus, I wouldn't put much value in what you get.

Tomáš Linhart
  • 9,832
  • 1
  • 27
  • 39
  • 1
    I don't think that's a valid source. because user can change User-Agent header, can't he? – Meysam Apr 30 '19 at 11:34
  • Practically, there's no tool to reliably tell if the request came from a browser, a bot or whatever else. All you can use to determine the source is the data inside the HTTP request. And it can be forged quite easily. If you want to be a bit smarter, you would also have to use the behavior and use some kind of anomaly detection. – Tomáš Linhart Apr 30 '19 at 11:53