Ensure that function is being called by actual user and not a bot

I have a ruby on rails app which essentially runs on a bunch of AJAX calls and a tonne of jquery/javascript. A particular action accepts an id(integer and serially ordered) and returns some value. The nature of the application is such that I want to allow the function to be called only when called from the browser or how a regular user would interact with the app. However, a malicious user can probably set up a bot to call the function with the id to get the return value. Is there a way to stop this?

Answers


You will not be able to differentiate between bots and real users 100% of the time. Whatever counter-measure you put in, a bot would be able to bypass if the bot creator cares enough. You need to ask yourself how important it is to you to stop bots and weigh it against the time you will take to implement and maintain your counter-measures and how much you'll be hassling your real users. Some possibilities:

  • Captcha - will stop most bots and irritate real users
  • Anti-bot question ("what's 4 plus five?") - will stop most bots and slightly irritate real users
  • Rails's CSRF protections - will stop some bots and not affect real users
  • Require users to be logged in/verified by e-mail - will stop most bots and highly irritate real users if they don't already have to have accounts

Need Your Help

How to compile resources folder with Maven command

maven maven-3

I'm using mvn compile to compile my Maven webapp. This project has a resources folder instead of the java folder created for a .jar project. My problem is that mvn finds no sources, and I haven't f...

When using a HashMap are values and keys guaranteed to be in the same order when iterating?

java collections hashmap

When I iterate over the values or keys are they going to correlate? Will the second key map to the second value?