Protect the server from "false requests"

Asked

Viewed 137 times

3

I’m having second thoughts about security. When I want to add date or receive, I make an HTTP POST or GET request to my server, which returns the JSON response. Assuming it is an application that displays movie lists (returned by the JSON format server). How to hide this request from the user? Because if you use some traffic monitoring program, it will see for example:

HTTP://SERVER.COM/GetFilmes.php

By monitoring other applications, I realize they make a request only for the server and not for pages. (as above)

How best to prevent such data from becoming readily available to malicious people?

  • Suppose I have an HTTP GET that returns if the login and password of the user are correct (by the application), but a malicious user gets the link of the page on the server that does the authentication, and starts sending data to this page, outside the application. How could I authenticate this without the user knowing which page in the backend is done ? ,for example(http://server.com/checkdados.php)

  • I have as an example Ifood,when opening,it returns a list of restaurants.But monitoring data traffic,I do not find a request that I would use in my app as : (ifood.com/webservice/getrestaurantes.php), but one pointing to their server,but no directory, so it’s harder to figure out where the data is coming from.

  • Requisition for wsloja.ifood.com.br:443 only.

  • So if I use HTTPS and encrypt my application, the user won’t know in which directory the request is being made ? will only know the correct server ?

  • I think that’s it too, I’ll activate SSL on my domain and test it.Thanks for the help !

1 answer

3


If you are moving the data through the HTTPS, through the SSL or TLS protocol, whole data packet is encrypted: the request itself, verb (method), URL, headers and parameters.

Through a traffic monitoring application, the monitor will know as much as possible the server and port it has connected to, but not the path inside the server.

Therefore, the request for the address:

GET https://api.meuservidor.com/confidencial/topsecret/classified?type=007

should look like:

??? https://api.meuservidor.com:443

Anyway, if you are using a browser, the full path and parameters of a GET will still be visible. In other HTTP methods it does not happen.

  • 1

    I tested.Actually now in the request appears only the server and the port. Perfect !

Browser other questions tagged

You are not signed in. Login or sign up in order to post.