I know how to implement token based authentication. But my concern is user actions like register,login or verify, against attacking bots. I can imagine a bot making requests through fake phone numbers and my SMS or mail server will respond all of them! Or thousands of registered users are in users table in database which they are fake and not verified. I know some firewall strategies to block these type of attacks and traffics in network layer. But is possible to secure "unauthenticated" HTTP actions with Captcha code or another way?
If yes, how can send captcha image from API Server to client? in RAW? if send Captcha is possible then how can find which captcha is for which client? Session can helpful?
Thanks for your attention.
You could implement a form of CSRF (Cross site request forgery) trapping to avoid this. I use a combination of CSRF and honeypot fields. Here is the basic rundown:
If the tests fails, I respond with a 401 or 404
Reg bots will usually fill honeypot fields, and some are smart enough to circumvent CSRF - I log all attempts that fail these tests and capture quite a few bot attempts.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.