So I have a React Native App where a user can register. React Native uses the normal JavaScript Fetch API:
fetch("http://myip:8000/api/account/register/", {
method: "POST",
headers: {
"Accept": 'application/json',
"Content-Type": "application/json"
},
body: JSON.stringify({
username: username,
password: password,
email: email
})
})
.then(response => {
return response.json()
})
.then(data => {
afterRegister(data)
}
.catch(error => {
console.log(error)
}
})
The problem is, that I also could make a POST request from e.g. POSTMAN :/ I thought about a security code, that I need to add to the body (hardcoded) that only the Client, who has the code could make a POST request. A code like this could look like this: Dhiuw1298md()AJM8d9j289j)N ASIDH)8zh2n1ujD)(AZwh98em9812z)(ZDM)("ZM)8mdwuJio2h1hn398 and so on...
But now if I do this and a user register in the App he/she also could use a man in the middle attack to fetch the code and the spam POST requests to the Server until the Server crashes.
How can I prevent, that the user can see the content of the HTTPS POST Request with a man in the middle attack?
I also could make a POST request from e.g. POSTMAN :/
[…] spam POST requests to the Server until the Server crashes.
A code is only useful for authentication, i.e. identifying which user is sending the request to your server (and it's no good if the code is shared across all users, i.e. basically public). It doesn't help against a DoS attack - that's what a firewall is good for.