Introduction
I am currently trying to build up a networking layer for Unity from scratch. Currently I am testing the communication via UDP using Node.js for the server and the client. However I guess the language of the implementation will not matter for what I am asking for.
I actually only read about security related things at the server side. But due to I need other people to help me testing what I am creating I really need to be sure that they won't be harmed in any way.
Current approach
The current approach using Node.js for the server and the client is pretty basic. I simply send a message from a client to my server while the client and the server are not in the same local network. Both are behind a router and therefore also behind a NAT.
The server then sends back an answer to the IP and port received within the UDP packet that was sent from the client.
Problem
I am curious about the security on the client side regarding malicious data sent by somebody that is spoofing the client and/or NAT. Also I am not sure about if the fact that my application is opening ports on the client machines and routers might be used for something malicious.
Assumption
So far I figured out that malicious data might in fact be a problem at the application level. Also I figured out that it is not a security issue when my application opens ports (locally at the clients machine and then when sending within the clients router) or at least I cannot do anything against it.
So in sumary this would mean that I only need to protect the client on OSI layers greater than 4 (within the application). Anything less than or equal to OSI layer 4 doesn't need to be made more secure by myself.
Question
So is my assumption correct? If so what am I able to do against malicious data?