Preventing spoofing attack - how to ensure my client receives orders from the real server?
I'm working on a Chrome extension that integrates with a website. My users can do actions on this website when they are logged in to it.
I have a Socket.IO server that delivers commands to my Chrome extension. Once a command arrived, the extension invokes a local function from the host website. Then, the host website, which has an authenticated active session with its own API, will invoke some update/insert call.
I recently realized a potential security issue, which is - if anyone spoofs my server address on my extension clients organization, he can easily abuse it to send his own parameters on behalf of my server (image 2).
Is there any smart way to ensure my client communicates with the real server and not an imposter?
Use HTTPS secured connection.
This is one of the features of HTTPS (SSL/TLS) - it can prevent a MITM attack and prevent the destination server from being impersonated.
- Limiting the scopes of an OAuth 2.0 flow
- How can I tell password managers what pattern to use?
- Protecting against MitM (https) seeing password with encryption using included pub. key in iOS/Android app
- How to run a Trivy scan on Windows?
- Why are iframes considered dangerous and a security risk?
- Vulnerabilities in spring-webmvc-5.3.39 to 5.3.40
- Limit GraphQL Queries by Breadth
- Securing a UDP connection
- Cross Domain Form POSTing
- How is PHP's mt_rand seeded?
- Customize android app preview when it is in background with secure flag
- Can a client-side login be safe?
- How to store sensitive data in React Native or expo code ? ( with Keychain and Keystore )
- Amazon Web Services : Setting S3 policy to allow putObject and getObject but deny listBucket
- How to validate if a URL is an Okta domain?
- How to make Google Analytics respond to "Do Not Track"
- My Vercel API tokens leaked on GitHub. How do I regenerate them?
- Implementing Custom Expression Handling with Spring Security 6
- What are the security concerns for JSF?
- App attestation failed with Firebase App check in release on Android
- SQL Server returns error "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'." in Windows application
- When should I use the deny access functions in Symfony 4.4 controllers?
- Install two traefik ingress controller on same kubernetes Cluster
- Logon events from within credential provider
- How to give access to my API for a mobile app?
- How to verify a JWKS's integrity and authenticity
- Changes in the front-end (Vue.js) part of the PatrolHears project (open source code)
- ECPrivateKey to ECPublicKey without BouncyCastle
- What TargetName to use when calling InitializeSecurityContext (Negotiate)?
- java.security.NoSuchAlgorithmException:Cannot find any provider supporting AES/ECB/PKCS7PADDING