Nodejs Security issue client sending request

I’m creating a browser game, I know browsers aren’t really safe but I was wondering if there’s any workaround my issue.

A player kills a monster and the platform sends an ID to my backend like so:

Axios({
   url: this.server + "reward",
   headers: { token: "foo123", charToken: "bar123" },
   method: "POST",
   data: {
      id: 10001, // Monster ID
      value: 10 // How many monsters were killed
   },
});

The problem is, I see no possible way to prevent a user to just send random requests to the server, saying he actually did this level 300 times in a second and getting 300x reward items/exp.

I thought about requesting a token before sending this reward request, but this just makes it harder and doesn’t really solve anything.

11 thoughts on “Nodejs Security issue client sending request”

Leave a Comment