Context:
I have written a simple polling app using the PERN stack (Postgres, Express, ReactJS, and NodeJS). The client sends a GET request to the server, this returns the question data and displays it to the user. The user then selects option A or B. This is then sent via a POST request to the server which then triggers the database to be updated.
My issue is that anybody can view the RAW HTML of the client and see the server URL and send a POST/GET request of the same format themselves. Even if I used an authentication token, surely somebody could view the RAW HTML again, see the GET request and do it themselves?
It's possible I am completely missing something here so any help would be greatly appreciated.
The question is a little bit unclear. If you mean the application layer, there is no way to prevent it unless you disconnect it from the internet which is not possible. There are some ways that you can reduce the load and keep track of each request - the only thing that everyone does.
Limiting requests / Rate limit
If there are some public endpoints which don't include any authentications, it's better to limit the number of requests that have been sent from the same user in a specific period of time. There are some packages that you might check. This will help to reduce the server's load.
Authentication
You may want to keep track of users' requests, then you should authenticate them using a token or something like that. In that case, even the clients that send a request to you, won't change any data on the backend until they get authorized.
Network layer
You can disable the public access to your server and allow only specific IPs to send requests (whitelisting). Even in that case, you don't prevent sending requests, you just ignore them. The other way is to use a CDN provider to protect your services from DDoS attacks.