Home/ Questions/Q 567661
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-13T13:06:25+00:00

I’ve made a voting on comments like the one this website has(something similar), and

  • 0

I’ve made a voting on comments like the one this website has(something similar), and I’m slightly concerned about possible http request misuse. You’ll know what I mean after I show you the questionable code:

$.ajax({
  type: 'POST',
  url: 'http://localhost/comments/vote_down/' + post_id
});

Now its still on localhost but it will get to the web eventually. What if someone just makes some kind of script which will run n times this url http://localhost/comments/vote_down/post_id .

Not even user authentication is very helpful, you just tweak your malicious script to authenticate and you can do it again. How can I make this request more secure, what can I do? thank you

EDIT

I see some answers , not the ones I’ve been looking for so far.

Maybe I’m expecting too much, is there a way I can directly refuse this request to anyone but someone redirected from localhost(or website.com), after x attempts to do so .

Maybe some kind of header authentication? I’m not very into that that is the main reason why I ask.

EDIT

Also what I’ve discovered accidentaly about a minute or so ago, I was browsing trough few similar questions and my firebug was on, I added one question to favorites .. saw console post response 200 OK then I tried it for like 10 times just to see when will I be rejected to do the same again.. eventually I got bored .. so if StackOverflow didn’t solve that .. what am I trying to do :=)

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    At the bare minimum, you can make sure that every user can only vote once.

    • If user is not logged in, don’t alow voting.
    • If user is logged in, restrict voting to one vote per comment (whether they can change the vote from up to down or not is up to you)
    • If you want to let unregistered users vote, lock them out with cookies and ip address and useragent checking. (Far from bulletproof, but will keep some troublemakers at bay)

    Additional options:

    • Implement a captcha

    In response to your edit:

    If you are talking about checking for a valid referring page, you are out of luck. That is incredibly easily spoofed. You can implement a token check where you generate a hash that is valid for X seconds and deny all requests with an invalid or expired hash. This will not prevent people from voting multiple times though.

    In response to your second edit:

    A status code of 200 only means that the http request was successful, what the application logic decided to do with the request is a completely different issue. You can deny the vote and return a 200, just as you can return a 403 (which would probably be more appropriate in this case though).

    • 0