Ensure that function is being called by actual user and not a bot

I have a ruby on rails app which essentially runs on a bunch of AJAX calls and a tonne of jquery/javascript. A particular action accepts an id(integer and serially ordered) and returns some value. The nature of the application is such that I want to allow the function to be called only when called from the browser or how a regular user would interact with the app. However, a malicious user can probably set up a bot to call the function with the id to get the return value. Is there a way to stop this?


You will not be able to differentiate between bots and real users 100% of the time. Whatever counter-measure you put in, a bot would be able to bypass if the bot creator cares enough. You need to ask yourself how important it is to you to stop bots and weigh it against the time you will take to implement and maintain your counter-measures and how much you'll be hassling your real users. Some possibilities:

  • Captcha - will stop most bots and irritate real users
  • Anti-bot question ("what's 4 plus five?") - will stop most bots and slightly irritate real users
  • Rails's CSRF protections - will stop some bots and not affect real users
  • Require users to be logged in/verified by e-mail - will stop most bots and highly irritate real users if they don't already have to have accounts

Need Your Help

AVPlayer doesn't show anything

ios objective-c youtube avplayer avplayerlayer

I try to embed different videos from youtube vimeo, dailymotion.

About UNIX Resources Network

Original, collect and organize Developers related documents, information and materials, contains jQuery, Html, CSS, MySQL, .NET, ASP.NET, SQL, objective-c, iPhone, Ruby on Rails, C, SQL Server, Ruby, Arrays, Regex, ASP.NET MVC, WPF, XML, Ajax, DataBase, and so on.