Can someone fake post request code?

I am too curious about these things, if I have vue front connected on some backend for api.

And with vue router beforeEach I send post request to backend where I send within post:

{ route: to.name }

On backend I have array with routes name and type like:

[ 'home' => [ 'type' => 'auth' ] ]

Now I check if post request route is key in this array and if it is not I return response with 404 code.

If it is I check is user auth or not, if it is not I return 403 code

And if route is home and user is auth I return 200 code

On front with axios if I get 200 code I run next(), otherwise I run next() to login page for 403 and next() for 404 with some data to display 404 page instead of blank page.

Now my question would be for 403 code, can someone fake post request response, instead 403 to get 200? Even tho 403 was sent from backend?

Thanks

nick.a

7 years ago

Best Answer

Level 19

Ultimately you should be protecting your API endpoints. It doesn't matter too much if a user can navigate to a page they aren't supposed to be on as long as the server doesn't serve them data they are not supposed to see.

Let's say you have an admin page that has a table of users or something, sure with front end code there is probably a way for them to get access to that route. The important thing is that the server checks the authenticated user and doesn't return the important data that would be on that page. Front end javascript can be modified, server responses can't by the client if no data is sent to the front end.

1 like

HUGE_DICK_10_INCHES

7 years ago

Level 5

@MANGLERULE - Thanks, backend points are secured, I am just thinking about everything too much. Like those things.

1 like

Please or to participate in this conversation.