-1

I have a basic game app I’ve made and at the end of the game the game will make a POST request and send the username and score to the server. But this leaves me vulnerable from POST requests outside my game, let's say someone sends it through Postman.

Can I have various ways of solving this issue? Do I need to start learning sessions / tokens so POST requests are only made from the browser window?

I am new to coding and I am not entirely sure what my options are for defending against outside attacks.

Giacomo1968
  • 25,759
  • 11
  • 71
  • 103
Brian Bui
  • 103
  • 1
  • 6

2 Answers2

2

You could look into using CSRF token.

These token are in general used so that the request will have to be generated from a particular site and cannot be done from another site.

https://developer.mozilla.org/en-US/docs/Glossary/CSRF

What is a CSRF token ? What is its importance and how does it work?

bitDaft
  • 177
  • 10
0

The best way to stop excesive post's to your server is to install fail2ban and configure it to read your access log(s) to ban ip's that post more than x times in a range of x seconds (so for example ban ip's that post more than 4 times in 3 minutes).

What failban does is, it reads your logs, and based on the regex from its filters it can ban ip's.

Not going to post how to install it (tons of tutorials around), but will provide the post filer and configuration you require below:

Post Filter File. In my exmple it is named post-ban.conf and placed in the filter.d folder:

    [Definition]
failregex = ^<HOST> -.*"POST .*".*$
ignoreregex =

jail.local config (in the root folder of fail2ban) you can just add this to the array of existing filters

    [post-ban]
enabled   = true
port      = http,https
filter    = post-ban
logpath  = %(nginx_access_log)s
maxretry = 4
findtime  = 180
bantime = 60000

The config here is set to ban the ip for 60000 seconds on the 4th post within 180 seconds. You will have to change the logpath if you are not running nginx

Andre Bezuidenhout
  • 41
  • 4