I have a simple php script for hwid checks on a c# app i made it just checks if the hwid and email match and sends it to the app again. But i've looked through websites to see how i should add more security and i've come across multiple where they are sending POST requests to www.site.com/api/login and there's no file extension. how is this done?
What are you using for your backend if you are using framework like laravel or etc you can define your own route to handle the url request https://laravel.com/docs/5.6/routing
if you are using native you can use .htaccess for that https://stackoverflow.com/a/32140158/9590296