Can a user fake his IP to specifc address

@pixelairport

Is it possible to be 100% sure a software cannot be hacked?

It really depends on your network setup. It's usually quite hard to establish a proper TCP connection with a spoofed IP address, but possible if the network is compromised.

Is it possible for a user to fake his IP to call the microservice directly and say that he has the IP of the gateway?

Yes

But he'll never get the answer :-)

@laracoft I also have other security things. Like a client access token, which changes every 60 seconds. But I want to create as much security as possible.

@sr57 You mean he could do this, even it is a lot of work, but the answer response is send to the the ip he send (my gateway)? So he would not get the erros, what is wrong with the request? Because each request need some extra information which is generated by the gateway first. So user will not know which information this is?

PS: Just saw a video about ip spoofing. So the user could fake the ip and do a lot of requests to my microservice. Then there is no way to block this user? Right? I also have other middleware. He could not do anything, but make a lot oft requests that the server will go down. Am I right? But what would a soultion for that?

@pixelairport

First, do you know the difference between TCP and UDP? Spoofing IP on UDP is easy, spoofing IP on TCP such that it hits Laravel is not easy.

Not sure what video you are watching, but it sounds like denial of service attacks, it is not the same as spoofing of IP addresses.

the the ip he send (my gateway)?

Yes

Even with no token, securty is high level, one ip and token is VERY HIGH level

no way to block this user?

Yes, it's DOS or DDOS attacks, you can have some protections (see on the Web) but be careful if you use a third-party provider; you'll decrease security ... I bet you'll never be attacked, except if you are/work for a very attractive business but in this case you have the resources to protect yourself.

thx @pixelairport and @sr57 ... I think I will go with ip check and token and just called a good friend, who is a 100% developer. I do also a lot of other things and it impossible to know everything... so maybe I understand only 80% of what he said, but he said to do this with ip and be sure that I can disable the filter later, because he will help me with the hosting in a network. So that the microservices are not available from outside. Hope this make sense. And with DDos i will do it like @sr57 says... When the app is getting bigger and really makes some money, I will have maybe somebody who will be responsible for this. But really thanks to you for talking about this topic.