I'm making a online quiz game (SPA web application) and I want to implement a leaderboard with the players' scores. I send a request with the player's initials and score to my back-end (REST API). The problem is that anybody could see the request to the REST API, in the network tab, and send a similar request from Postman. How do you secure such a leaderboard? There is no authentication - you just type in 3 symbols (your initials) just like in arcade games.

I'm using ExpressJS with MongoDB for the back-end.

CodePudding user response：

There is no way to directly secure this. You must trust the client to give you a three-character username, and you must trust the client to report their scores to you. Nothing you do on the transport side adds meaningful security because you must trust the client for these two pieces of data.

At best, you can add some basic heuristics. For instance, if your game is supposed to take ~10 minutes to play and someone reports a perfect score after 3 seconds, you can assume they didn't play the game.

You can also do some standard things around ensuring the user has a valid session, and only reports some small number of scores within a time period, per session ID, and then perhaps a larger number per IP address. (Just keep in mind that a users' IP address can and will change as they pass through different networks, and that many users can share the same IP address legitimately.)

CodePudding user response：

You could move some of the logic on the backend side. For example you could send the user's answers to the server and calculate the score there (it shouldn't be too hard since you are using node.js).

If you are not able to do that for some reason, there's no foolproof way to secure your leaderboard (as @Brad mentioned). You can, however, make it much harder by using browser fingerprinting and such techniques (tracking the mouse movements, etc.) If you decide to go that way and have any further question feel free to @ me.