2
I have an application for course management, in which several requests are made via ajax that are processed in the background: getListCurso(), findDisciplinaById(), deleteAluno(), etc.
But anyone can go via get and perform the same function as many times as they want, just type in the browser:
/meusite/travel/getListCurso/
/meusite/disciplina/findDisciplinaById/2/
/meusite/student/deleteAluno/20/
I would like these functions to be performed only if the request comes from the page built for each function
When I say unwanted request I’m talking about the guy type in the browser the path of a function, I wish this could only be done via the application page
– Adriano Luz
To simplify, I would suggest you generate a token on the page that consumes the API, and check if the token in the request is valid. Or, if the service is consumed by a logged-in user, check if it is a valid session in the API itself.
– Bacco
An alternative is to let anyone order whatever they want, but with each request of the same IP increasing the interval between responses, in order to avoid abuses. The best technique depends a lot on what you’re trying to protect.
– Bacco
I’m not looking for anything complex, just make the request via the application forms
– Adriano Luz
Always remembering that always the "attacker" will be able to simulate the user, and then use its API. These tips above only work to decrease the attack surface. Almost everything the user can do, an application can also, and practically there is no way to avoid (you could even solve Captcha in some cases). If you at least force the user to authenticate, at least it is easier to detect abuses, and/or limit the number of time operations.
– Bacco
How can it be a duplicate if you were asked before?
– Adriano Luz
read here to understand better the idea: http://meta.pt.stackoverflow.com/questions/3874/70
– Bacco