I have one website that in the browser I am sending a POST request to an endpoint with some information about the user visit interaction in that page. The javascript browser code generates an UUID for the user visit and as the user interacts with the page I send POST request with the updated visit information.

On the backend I am saving this visit information into a DB. In the backend service I am validating that the host of the request is my webpage and also a valid user agent. But that can easily be hijacked with a curl, postman or whatever just modifying the host and user agent headers. Since the service is public because the browser needs to send the information to the backend how can I implement a method, signature or whatever to ensure that what the backend is receiving is from my webpage and there is no one else sending to this endpoint visit information not generated in the webpage?

CodePudding user response：

And if in your form, you create an hidden input that has a value that you pass in session. And when you post the request, you check that the value posted is equal to your variable in session. For instance :

File1.php

<?php
$myvalue = uniqid();
$_SESSION['myvalue'] = $myvalue;
?>
<form action="File2.php">
<input type="hidden" id="var1" name="var1" value="<?php echo $myvalue; ?>" />
</form>

Then in the file that received the post request : File2.php

<?php
if (isset($_POST['var1']) and isset($_SESSION['myvalue'] and $_POST['var1']==$_SESSION['myvalue']) {
// ok
}
else {
//not ok
}
?>

CodePudding user response：

add ReCaptcha: https://developers.google.com/recaptcha/docs/v3

makes it nearly impossible to send the data in any other manner than intended.