I have an android game that pushes usage data to a flask service in json format. When the request comes in, I'm just inserting the json straight into the mongo collection where I'm keeping statistics.
我有一个Android游戏,将使用数据推送到json格式的烧瓶服务。当请求进来时,我只是将json直接插入我正在保存统计信息的mongo集合中。
Is this unsafe? How can I, in Flask, ensure that the post requests are coming from my game before I insert them into the mongo collection?
这不安全吗?在Flask中,我怎样才能确保帖子请求来自我的游戏,然后才将它们插入到mongo集合中?
1 个解决方案
#1
1
I'm doing the same thing as you describe in my project(we don't do any validation, btw). If you users don't have to login into game, you don't have much options. You can use CSRF tokens, but this option is not safe enough. Other option is to generate this "requests" from application server, instead of client. This will ensure, that data is not compromised.
我正在做你在我的项目中描述的相同的事情(我们不做任何验证,顺便说一句)。如果用户不必登录游戏,则没有太多选择。您可以使用CSRF令牌,但此选项不够安全。其他选项是从应用程序服务器而不是客户端生成此“请求”。这将确保数据不会受到损害。
#1
1
I'm doing the same thing as you describe in my project(we don't do any validation, btw). If you users don't have to login into game, you don't have much options. You can use CSRF tokens, but this option is not safe enough. Other option is to generate this "requests" from application server, instead of client. This will ensure, that data is not compromised.
我正在做你在我的项目中描述的相同的事情(我们不做任何验证,顺便说一句)。如果用户不必登录游戏,则没有太多选择。您可以使用CSRF令牌,但此选项不够安全。其他选项是从应用程序服务器而不是客户端生成此“请求”。这将确保数据不会受到损害。