This is probably quite a simple, newbie question for seasoned Web developers, which I am not, and googling around does not help.
I have a very simple webapp hosted on Heroku, the code of which is here. It has two JSP pages, one index, one with the validation results, nothing fancy. The two JSP pages are here (index.jsp) and here (results.jsp).
The problem is with the validation servlet: it is a POST, and is triggered, when using the app itself, via an input button in index.jsp. But I have tested that it will also work if I call the servlet directly… And I don’t want that.
Is there a way to reliably ensure that this servlet may only be called when coming from the index page (and send a 403 otherwise)?
One way I’ve used is to have the input form on index.jsp include a hidden field which contains an md5 hash which the results.jsp can also calculate. I use the md5 hash of the client machine’s IP address concatenated with a shared secret phrase.
I guess for a given client IP address the hash is always going to be the same so you could also salt it with another value (like current time) which is passed in another hidden field for inclusion in the calculation by results.jsp.