I want to know if there is a way your web host can know the PlaceId of the place it got a POST request from, without explicitly saying it in the sent POST data. This is for security reasons on my SQL.
I found a way to get the IP of the Roblox server that’s sending the POST request, (it’s the usual 18.104.22.168 when playing locally). But I’m not sure of the significance of it and how I can use it to know the ID of the place.
Is there no way to make sure a request came from a Roblox server?
If RequestAsync lets you set the roblox-id header (or any other HttpService function) then that seems like a huge flaw and should be fixed. There’s no reason anyone should have ever been setting it outside of malicious intentions, so backwards compatibility can’t be an issue.
I was literally about to make a post about this exact need. For me, the reason I’d need it for security is because I am making an automated group ranking system and, from experience, if an exploiter manages to get access to the script that handles the requests then they can quite easily fake a request using something like postman. This allows them to rank themselves, or someone else, inside the group and gives them a huge amount of power.
Adding to my last reply, using a shared secret (like a password) as authentication is really insecure because, like I said before, most exploiters can easily find the password and then create fake requests.
You don’t make http requests from the client, you make them from the server, which exploiters can’t access when playing your game. You’d give every place a unique shared secret for that place. The external server deduces place information from shared secret. It’s not “really insecure”, that’s an inaccurate exaggeration. Of course a proper authentication protocol is always better (this is what I was already implying in the previous post).
Good point, but even in large groups that have secure systems like that in place, they usually get leaked, but this is possibly due to a developer of the game leaking it themselves, for whatever reason.
You could store half of the shared secret in DataStores, so if a developer leaks the game file (or if server scripts are stolen through a rare exploit like we saw a while back), malicious users with the place file still can’t authenticate to your endpoint. And if someone gets server script execution privileges (e.g. backdoor in third-party code), they still don’t have the full key (half is in script source somewhere).
This aside, not sure how you get more advanced than that. Malicious users can do anything you can with request headers, so the only sort of way you can secure the request is with a secret key. Naturally, this key has to be accessible from your game so that it can use it.
Security is not as big of an issue on the Server side in modules, as it’s way easier to exploit the client. It is currently very hard to steal modules if someone tried. I have an auto promotion bot running for a 300k+ member group, as well as an automatic funding course for group uniforms. While I do have take good precautions, it’s doing fine.
I see that my phrasing was wrong here, what I meant to say was that it’s infact way harder to find vulnerabilities in the server than it is to find them in the client. I have rephrased my reply so its easier to interpet.
Also, as a general thing if you have all of the security roblox-side, you are doing something wrong. It is expected that you have security both sides, Server and Roblox. This can be done by sending a key that is required in the Body of every request, and the key can be stored in the DataStore service, as Echo said.