My friend and I are working on a program. This program is going to submit GET data to our webpage. However, we don’t want users accessing the webpage any other way than the program. We can prevent users from sharing the program using HWID authentication, but nothing prevents them from using a packet scanner to get the URL of the webpage. We thought about user-agent authentication, which we will implement, but user-agents can easily be spoofed.
So my question is, how can we prevent users from accessing the webpage directly, instead of through the program?
Even if you don’t have an answer that will completely work, anything that will help deter them would be nice.
Currently we will be implementing:
HWID Authentication to use the program
User-Agent Authentication to access the web page
Instant IP Blacklisting to anyone accessing the webpage without the proper User-Agent
Do not rely on user agent or any kind of browser fingerprint, HTTP headers are easily forged/spoofed.
You could add some secret token (eg. password/login) to the request and send it through SSL to prevent eavesdropping.
Or better, use an SSL client certificate.
Edit Are you going to distribute the VB program? If so, as bobince mentioned, there’s no way you can prevent a determined hacker to forge requests. You can raise the bar but it will be security through obscurity. Even with client certs, the hacker will be able to extract the cert from your program and send modified requests.
As long as you accept requests from the client, these requests can be forged. Deal with it.