securing slim 3, RESTful API
Question
I know how to implement token based authentication. But my concern is user actions like register,login or verify, against attacking bots. I can imagine a bot making requests through fake phone numbers and my SMS or mail server will respond all of them! Or thousands of registered users are in users table in database which they are fake and not verified. I know some firewall strategies to block these type of attacks and traffics in network layer. But is possible to secure "unauthenticated" HTTP actions with Captcha code or another way?
If yes, how can send captcha image from API Server to client? in RAW? if send Captcha is possible then how can find which captcha is for which client? Session can helpful?
Thanks for your attention.
1 answers
solution1
2 2017-08-21 23:40:26
You could implement a form of CSRF (Cross site request forgery) trapping to avoid this. I use a combination of CSRF and honeypot fields. Here is the basic rundown:
- The server populates a field via a hidden-type input tag containing a value which is set on the fly and stored on the server as a session variable.
- The form also contains a textfield (type="text" or textarea) that is hidden using CSS.
- When the form us posted, the hidden value (CSRF) token must match the saved Session version, and
- The honeypot field must be empty.
If the tests fails, I respond with a 401 or 404
Reg bots will usually fill honeypot fields, and some are smart enough to circumvent CSRF - I log all attempts that fail these tests and capture quite a few bot attempts.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.