Reputation: 4247
How avoid multiple POST as complete request information comes in network tab of browsers
We have a form, if a person fills that form, we are hitting POST API.
When user submits the form, complete INFO of API (request url, headers) is visible, I was thinking if someone starts hitting this POST API through server side code, our tables would be filled with junk values?
How can we avoid this bulk data entering the system through API being directly hit by C# client, POSTMAN or any other server side clients?
Upvotes: 2
Views: 509
Answers (3)
Reputation: 1114
Use a captcha: a challenge is presented to the user to prove being a human, usually an image that contains some garbled text is shown to the person filling the form and (s)he is required to transcribe the text content of the image in the form. If the captcha solution is wrong or missing that POST request to the API will be discarded.
Many types of challenges are commonly used such as audio/visual/logic/mini-puzzles. You can also customize your challenge in a way that fits best with your form. For example Google provides ReCaptcha, a captcha service with js and server api.
This helps you prevent or mitigate bots, as the captcha is a challenge that is very hard for computers but easy for humans.
Using one-time captcha tokens also prevents the replay attacks you are worried about. Also, checking that the ip that received the challenge and the ip resolving it are same helps mitigate other tricks.
This still leaves room for a determined human to spam your form. So you should also keep track of the number of submissions and throttle them by ip.
Upvotes: 0
Reputation: 2984
There are times when authentication is not possible or desirable for a web form. At those times a I have used a key generated on the server that I embed in the form.
The form sends back the key along with the rest of the data and you can then make any decisions you need to make based on the key. Like limiting the rate of submissions, allowing only one submission and then expiring the key, etc...
Upvotes: 0
Reputation: 5549
That's a really open ended question, but I don't think there's a way to do exactly what you ask (detect with certainty if a request originates from a browser or not), nor should you if it were possible - users may have a legitimate reason to use something other than a browser, or someone might want to integrate your API into a larger process, etc.
You should handle this via authentication - require the user to be authenticated with your API, then if they misbehave you can disable their user accounts (either manually or automatically with some sort of abuse detection).
Upvotes: 3
Related Questions
- Preventing double HTTP POST
- Http POST requests reach server more than once
- Prevent browser from repeating long post requests
- How to prevent people from keep looping HTTP POST to a function?
- How to send multiple POST requests in JavaScript
- Prevent browser from re-sending form information that has allready submitted to server
- Duplicate POST Requests from Facebook Messenger/Bot API
- Multiple Requests from a Single Browser GET/POST
- how to make one request instead of dozen from browser in client browser through javascript code?
- asp.net: how do i prevent users from posting the same data multiple times