Reputation: 42050
How to distinguish between HTTP requests sent by my client application and other requests from the Internet
Suppose I have an client/server application working over HTTP. The server provides a RESTy API and client calls the server over HTTP using regular HTTP GET requests.
The server requires no authentication. Anyone on the Internet can send a GET HTTP request to my server. It's Ok. I just wonder how I can distinguish between the requests from my client and other requests from the Internet.
Suppose my client sent a request X. A user recorded this request (including the agent, headers, cookies, etc.) and send it again with wget for example. I would like to distinguish between these two requests in the server-side.
Upvotes: 1
Views: 2721
Answers (2)
Reputation: 35905
You cannot know for sure if it is your application or not. Anything in the request can be made up.
But, you can make sure that nobody is using your application inadvertently. For example somebody may create a javascript application and point to your REST API. The browser sends the Origin header (draft) indicating in which application was the request generated. You can use this header to filter calls from applications that are not yours.
However, that somebody may use his own web server as proxy to your application, allowing him then to craft HTTP requests with more detail. In this case, at some point you would be able of pin point his IP address and block it.
But the best solution would be to put some degree of authorization. For example, the UI part can ask for authentication via login/password, or just a captcha to ensure the caller is a person, then generate a token and associate that token with the use session. From that point the calls to the API have to provide such token, otherwise you must reject them.
Upvotes: 1
Reputation: 1318
There is no exact solution rather then authentication. On the other hand, you do not need to implement username & password authentication for this basic requirement. You could simply identify a random string for your "client" and send it to api over custom http header variable like ;
GET /api/ HTTP/1.1
Host: www.backend.com
My-Custom-Token-Dude: a717sfa618e89a7a7d17dgasad
...
You could distinguish the requests by this custom header variable and it's values existence and validity. But I'm saying "Security through obscurity" is not a solution.
Upvotes: 4
Related Questions
- How to detect packets using http or other application layer protocols?
- How do I determine if a HTTP request came from a browser or some agent
- How to tell if a request comes from browser or server?
- How to check if HTTP request is external
- How do I determine if a HTTP request came from a browser or something else like a web service?
- Identifying user-initiated web requests
- positively identifying http requests from java HttpClient
- How to identify whether http request is from browser or from proxy server (or server)?
- Identifying HTTP clients
- How to differentiate a HTTP Request submitted from a HTML form and a HTTP Request submitted from a client?