Followup to securing-http-data-from-a-javascript-game-to-server.
I'm working on something similar, in that I have a PHP backend and a JavaScript frontend, which plays around with the HTML5 canvas element for drawing.
There will be some heavy client-server communication required, as the player will get timely updates from the server with regards to actions that other players are taking. In turn, the client will update the server with his actions that have been taken.
My question is what is the best way to secure such data? Since the client is basically JavaScript, what are some good ways to secure my game data / game states from being tampered with.
I had a thought (spurred by answers to the previous question), about generating a hash based on the currently active session, storing that in a game state database, and validating it server-side. However, I would imagine that any data sent back to the server via AJAX can be scrubbed for any key that I send back.
Answer
Don't trust the client.
It's as simple as that. Any safeguard you can put in place can be broken; and truly safe methods are impossible within the scope of JavaScript.
The best approach is to only trust the client with drawing what you send it and retrieving user input. Giving it anything more is just asking for trouble.
Any information you send to your client should be considered compromised, and any information you receive from your client should be considered a potential attack.
No comments:
Post a Comment