How do I make a secure AJAX post?

  • Since the AJAX request is server side and can be seen, can't someone simply manipulate it in the browser console?

    So if an addHighScore(globalVarHS) is an AJAX request (simplified for conversations sake) it can be found in the browser, right?

    Then if they know what paramaters are needed can't they either change the variable value in the console or spoof it another way?

    How can you authenticate an AJAX request to prevent this?

    2 Notes:

    I know that I know enough to know stuff but not enough that it's dangerous—lol I mean, well, I think you can make sense of that.

    I know this isn't really a construct issue, it is the same for any AJAX, but thought I would still ask here as well since Construct has the AJAX plugin

    I don't need a full explanation if someone can point me in the right direction—a link or what the term is to search.

    Thanks

  • You can consider using a service like PlayFab/GameSparks/Firebase, which offers the ability to authenticate users and can even add some security features for verifying incoming data.

    Actual client side game data can however always be manipulated.

  • You can encrypt or hash the data you send.

    Here is the Hash plugin for C2:

  • Try Construct 3

    Develop games in your browser. Powerful, performant & highly capable.

    Try Now Construct 3 users don't see these ads
  • You can encrypt or hash the data you send.

    Here is the Hash plugin for C2:

    Couldn't the in-browser AJAX still be manipulated? (this is what I was talking about when I said I know some but not enough)

    You can consider using a service like PlayFab/GameSparks/Firebase, which offers the ability to authenticate users and can even add some security features for verifying incoming data.

    Actual client side game data can however always be manipulated.

    Thanks, I'll take a look at those

  • Couldn't the in-browser AJAX still be manipulated? (this is what I was talking about when I said I know some but not enough)

    Yes, AJAX can be manipulated. But without the correct hash key hackers will not be able to re-calculate the hash for modified data. And when you check the hash on the server, you'll know that the data has been tampered with.

    Of course you need to use the same key and hash algorithm in the game and on the server.

  • > Couldn't the in-browser AJAX still be manipulated? (this is what I was talking about when I said I know some but not enough)

    >

    Yes, AJAX can be manipulated. But without the correct hash key hackers will not be able to re-calculate the hash for modified data. And when you check the hash on the server, you'll know that the data has been tampered with.

    Of course you need to use the same key and hash algorithm in the game and on the server.

    Okay that kind of makes more sense to me and I can look up the details to fill in the blanks (on my understanding). Thanks!

Jump to:
Active Users
There are 1 visitors browsing this topic (0 users and 1 guests)