My webapp has means of abuse, users can access things they're not supposed to, such as 127.0.0.1/users/1
& 127.0.0.1/users/2
& 127.0.0.1/users/3
and so on, within these it reveals the user's registration email, ip, etc (via JSON, so the web server can return customized messages, greetings, and allow users to edit account data within profile settings)
This is what my route looks like:
forum.GET("/users/:user_id", routeFunc(UsersGET))
I'm using Gin-Gonic HTTP framework to create a dummy forum, can someone tell me how to stop users from accessing the /users/
route whilst allowing the actual web server to use freely? and maybe link me to the correct direction. Thanks!
(The server uses it to return things like, Welcome Back, USERNAME
).
/users
in your web server to prevent external clients using it. For example, in nginx, you could add a specific route and annotate it asinternal
. – Cosmic Ossifragegin-gonic
has a built-in HTTP basic auth middleware here. There are many third-party solutions too. If you want to use an alternative authentication mechanism, that would be more specific to your use case/requirements and might be better handled in a separate question so the nuances of implementing auth can be dealt with too. – Cosmic Ossifrage