I've got a php registration script, that just takes all the data as a post request. I've got another page which sends that data to the script using jQuery ajax. How can i be sure, that the request came from that page, and not a spammer that would just send post requests to that script. I thought maybe using a token that's in the data sent by the page or a cookie, but both would be easy to discover.
Asked
Active
Viewed 873 times
0
-
3What about using a captcha? It's easy to implement and increases the barrier to a spammer script. – ThoriumBR Jul 25 '16 at 13:48
1 Answers
1
Fundamentally, you can't.
Because the user has all the code necessary to communicate with you on his device (I.e. JavaScript), he also has the best possible Algorithm Description Document (I.e. JavaScript) one could ask for.
The only way to protect the code is to run it on the server... But this means that every request must go through the server, not just the "valid" ones from your script.
All you can do is raise the bar of complexity.
For example, if you were to hash (e.g. SHA256) the contents of the JavaScript code used to generate the request and all the data in the request and submit that with the request, you could have basic validation. This validation is easy to crack because all a user has to do is figure out what the hash of the JavaScript code is and do the hash themselves, but it makes it a little bit more difficult.
Another option, as mentioned in the comments, is to use a captcha.
Another option is watching source IPs or patterns in the requests.
But. fundamentally, there is no way to validate that the user is running your code vs their own code on their own device.
iAdjunct
- 1,710
- 10
- 15