1Mar
What stops a malicious user from hitting an endpoint with falsified data from the console of a webpage?
I'm a little bit of an amateur on API security. I'm building a browser-based puzzle with a leaderboard, and I'm wondering what prevents a user from simply hitting the /success endpoint with data that basically equates to { time: '3s' } automatically putting them at the top of the leaderboard without even actually finishing the puzzle.
If they just fetch from the console, what's to stop them from falsifying their result? The headers can all be faked to look authentic, right? And from the console it would still be "coming from your webpage" so it would pass a whitelist. So how is this handled?
