1

I've built an application, wherein people are allowed to post anonymously without even signing up or registering. For security, as soon as the site loads up, an ajax request is made to https://ipapi.co/json, using this API, I get the public ipv4 of the user. I populate an input field with the data received. The input is hidden. This gets sent along the data user sends ie his/her post. This is then stored into the database. The ip is used for blocking spammers. However, I find it very easy to change the ip data from chrome developer tools. Anyone can. How can I overcome this? Is there any way a particular element cannot be accessed from chrome developer tools? Or it's hidden in the truest sense?

Please help.

Thanks in advance!

Ibrahim Khalil
  • 35
  • 6
  • You could examine the request headers to find the IP instead, then validate that IP – CertainPerformance Sep 11 '20 at 05:33
  • 2
    Yes, don't rely on info sent by the client. Don't fill an input with data you can't trust when it's sent back to your server. Instead, let the person post a message, and when you receive it, check the IP present in the headers. If you're using ExpressJS, for example, there is [this method](https://stackoverflow.com/questions/10849687/express-js-how-to-get-remote-client-address) – blex Sep 11 '20 at 05:39
  • Thank you so much. Will this method get me the ipv4? the ipv6? I tried using this method but this returns, at localhost ::1 which I am not sure is working properly or not. Please help and explain what's going on? – Ibrahim Khalil Sep 11 '20 at 05:58
  • Is blocking users possible using this method? – Ibrahim Khalil Sep 11 '20 at 06:05
  • 1
    That's ipv6. It's working properly. – GirkovArpa Sep 11 '20 at 06:11

0 Answers0