How To Prevent GET Requests? - get

I am creating a site that will encourage users to visit again. Therefore, I'm afraid of people sending spam or bots to the site.
How can I block this type of spam? I've heard of spamming GET requests to make it look like there are more visits. What can I do to protect myself?

The main way to cut down on bot artificial traffic is to use a "captcha" image
look into reCaptcha or secureimage and integrate this. Whether you submit these methods via GET or POST, the captcha var will be checked on the server side at which point you can admit/deny for the purposes of averting bots.
Hope this helps.
R

Related

api design - How to design public POST api to prevent spam request

I am developing a public website
One of the page is to let people submit opinions.
They need to enter email, phone, message ,etc, in order to submit the opinion form.
This means I need to make an api for people, so that after they press the submit button, the POST request will be sent.
But some people might abuse this function(e.g. create bot to send massive amount of POST request).
Since the frontend design is already finished and no recapcha is used in frontend, I was thinking if there are backend ways to do it.
Is there any ways/best practice to prevent this kind of things?
I am using node.js(aws lambda) for my api function
Yes, if there is still a way to implement captchas, use package "svg-captcha". If you only want to deal with the backend, refer to this header: req.headers['user-agent'];, so you can track down those who abuse the requests and limit their access for a while.

How to check if a site user is real (without every time showing him a captcha)?

I want to count page views and/or users on my site.
How to exclude bot (or otherwise fraudulent) views from the count?
I want to make it highly secure so that it would be very difficult to write a bot that significally tampers the statistics.
My ideas of solutions:
Use Google Analytics API (does it have such an API?)
Show captcha before showing the page (very disturning for user experience)
You can use ReCaptcha serverside and get user 'botness' scored. Simo Ahava has a great guide on implementing this.

How Instagram autolikers bypassing the API deprecation?

In the past, Instagram autoliker, autofollower, like exchanger bots worked with the Instagram API. Thankfully, to keep Instagram - bot safe, they deprecated their API functionallity, so developers can no longer use Commenting, Liking endpoints.
But nowdays, I'm again meet new and new spam comments under a picture in the feed.
I did some research about the new autolikers.
How did the developers, like SocialCaptain bypass the API deprecation?
Are they simulating the user browsing instagram.com?
Actually you can just monitor the requests being sent from instagram.com. Open the developer tools and navigate to the Network tab.
Now you can reverse engineer their API by looking the requests they send on particular actions. The only thing left is to supply the proper body, headers, cookies, etc and perform the requests on your own outside of instagram.com.
Hope it helps !

Using Gmail API to update website when receiving an email

new to programming on the web so bear with me.
I've figured out that OAuth2.0 (the authorization protocol used by Gmail) is used for applications where Site A is given permission to information in Site B (in this case Gmail) by User X.
I am trying to create a website that updates when I receive an email from a specific sender. So, I am not using any of my website users' email information. I'm only using my own. I cannot seem to figure out (or even understand at a high level) how to permanently give my website access to my gmail account without doing some kind of user authentication on myself. What is the high-level process for giving my website this permanent authentication?
Let me know if I can make this clearer. Thank you in advance!
I've never done what you are trying to do, but you may find some useful answers here :)
Getting e-mail ID of sender while fetching mails from Gmail
I hope this helps if not I'm sorry. :)
UPDATE:
After reading that link a little bit more there are parts of it where they are getting the sender. You can always write a code to compare the sender by implementing what you need from that link. :)

User authorization in google talk with nodejs and node-xmpp

I'm writing a bot in node.js using node-xmpp. So far it's pretty straight forward except I'm having an issue with figuring out how google Talk handles it's user authorization (when dealing with requesting to chat with someone NOT on your roster).
I'm catching all stanzas coming through and logging them to the console but there is no data coming from the user that is requesting authorization.
Any explanations of what I should be looking for or if this event even happens over the jabber protocol.
[appended] I know that technically when a subscription request is made a presence stanza is sent with the subscription request. I can't see these coming over the wire using node-xmpp for some reason. Also, I need to find out a way to determine what presence requests are "pending" when my bot logs in. I thought (innacurrately) that they would be listed in the roster with some sort of flag, but that's not correct.
Any help with finding out where to go from here would be useful.
Ok, I finally figured out how to get the subscription requests after they have been made. There isn't much info on it out there so I'll put together a blog post, but I feel that answering it here might be good as well.
I found that if I did a google roster query based on the below information:
http://code.google.com/apis/talk/jep_extensions/roster_attributes.html
example stanza:
<iq from="username#gmail.com/D2D4E5A8" type="get" id="google-roster-1"><query xmlns="jabber:iq:roster" xmlns:gr="google:roster" gr:ext="2"/></iq>
The server would respond first with your pending server subscription "presence" stanzas
ex:
<presence type="subscribe" from="pendinguser#gmail.com" to="namehere#gmail.com/D2D4E5A8" xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client"/>
and then the rest of your roster's "presence" stanzas. It's important to note that your subscription "presence" stanzas don't get sent to you from the server unless you do a roster query. I'm not sure why this is and why it's not documented somewhere is beyond me. Anyways, at least I can get the list of people trying to get access to my bot now.
Note: This is not my area of knowledge just an interest of mine. I have not got practical experience just a bit of research. This would have been a comment however doing some more searching on the topic, I have come up with some more things that might help.
Here's a google chat chat room homepage http://partychapp.appspot.com/ you can get the source http://code.google.com/p/partychapp/
Those links came from http://xmpp.org/2010/02/xmpp-roundup-13-services/ which has quite a few other resources that might be helpful.
http://code.google.com/p/node-xmpp-bosh/ has some code about that, I've not done it but the topic is interesting.
I hope if you do find the answer your after you write up a blog post and or a project and share it. It would be of interest to me.

Resources