-2

I want to make calls to my backend service in such a way that prevents people from copying the requests from the network tab, and duplicating them using curl, allowing them to burn through my API limits.

My site uses client-side React, so it seems to me that whenever I access the secret key to encrypt the data I'm sending, a user could just set a breakpoint in the Sources folder, and sniff the password I'm using for encryption.

Is there a technology or pattern I'm missing that would solve this problem?

Thanks very much!

Ryan Krol
  • 63
  • 4
  • 1
    This question is asked daily and always gets the same response - what you want to do is impossible. If the security of your application relies on the client behaving in a particular way, then you've designed your application wrong - back to the drawing board! – Luke Joshua Park Feb 01 '20 at 04:07
  • @Agney, I think so, it seems odd to me that you can't specify that things are hidden in developer tools though. Surely the browser could use the code without exposing it to everybody – Ryan Krol Feb 01 '20 at 10:38
  • 1
    @RyanKrol I don't think you are considering the case completely. Browser developer tools are independent for each user, somebody could just make a browser that does not comply and leak your secrets – Agney Feb 01 '20 at 12:50
  • You'll have to implement rate limiting on the server. – Peter Feb 01 '20 at 18:30

1 Answers1

0

I think people would normally trust HTTPS to securely transmit requests and responses. Encryption would happen only on the back-end, avoiding the necessity of transmitting keys.

If you really want to implement additional encryption, maybe PGP would be a way to go.

Michael
  • 878
  • 5
  • 17
  • So HTTPS would protect external actors snooping on a users' transactions, but in this case I'm concerned with the user themselves replicating calls to my server. With https, the user can still see the request in the network tab, and replicate the calls to my server themselves if they wish. Doing so would burn my API limits. – Ryan Krol Feb 01 '20 at 10:32