My team has a Web App(Laravel) and Android Application written in Kotlin. Our website has a Registration and Login forms but my problem is everyone can build their own app and call a POST method in registration form.
How can I secure our WebApp so that the only POST METHODS it accepts are just the forms from our own Android App and Web App?
CodePudding user response:
Short answer: you can't.
For web apps, you could restrict origin by allowing specific domains in your CORS config. But since mobile Apps can change their IP there is no 100% secure way to restrict a public endpoint (at least I didn't find it when I faced the same issue).
Anyway, you can try to add an extra security layer by including a request header with some encrypted content that must be decrypted and approved by your API. But this is not completely secure, Android apps can be decompiled with reverse engineering and they will find how your encrypted header is done.
If Android apps are not public (can't be downloaded from Google play services) you can also try to use the installation_id generated, but it will change when the app is reinstalled. In this way, you can approve or reject requests as per installation ids
CodePudding user response:
You can JWT Tokens to verify the request . If request is from a legitimate user then return the JSON data otherwise return an error . You can read more about JWT Tokens here https://jwt.io/introduction