How to prevent response from the server modify by users?
Question
I have built a system using spring, java and angular. When the user successfully login to the system, the back-end will fetch the list of roles for the particular user. Then, I realized that the response from the server can be modified before it reaches the user. Thus, it is possible for the user to add more roles for themselves and perform illegal actions.
For example: User A supposed to have the role to view the data only. But when the API called the back-end to fetch the roles, the user intercepts the response from the server and add modify role to himself. Now the user is able to see the modify button and start to modify something.
Is there any way to prevent this scenario happens?
1 answers
solution1
0 2021-07-12 15:56:28
Keeping the backend checking the user role in each request. I mean, if your user a request an action (with modified role) you always check if user has a valid token and if their role (saved on your db) is correct to do it. This way does not matter that user send to you, you always confirm if the action is allowed or not.
In this case the only way to do some illegal is having othe user access token, but this is another security issue.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.