My friend and I are working on a program. This program is going to submit GET data to our webpage. However, we don't want users accessing the webpage any other way than the program. We can prevent users from sharing the program using HWID authentication, but nothing prevents them from using a packet scanner to get the URL of the webpage. We thought about user-agent authentication, which we will implement, but user-agents can easily be spoofed.
So my question is, how can we prevent users from accessing the webpage directly, instead of through the program?
Even if you don't have an answer that will completely work, anything that will help deter them would be nice.
Currently we will be implementing:
HWID Authentication to use the program
User-Agent Authentication to access the web page
Instant IP Blacklisting to anyone accessing the webpage without the proper User-Agent
Do not rely on user agent or any kind of browser fingerprint, HTTP headers are easily forged/spoofed.
You could add some secret token (eg. password/login) to the request and send it through SSL to prevent eavesdropping.
Or better, use an SSL client certificate.
Edit Are you going to distribute the VB program? If so, as bobince mentioned, there's no way you can prevent a determined hacker to forge requests. You can raise the bar but it will be security through obscurity. Even with client certs, the hacker will be able to extract the cert from your program and send modified requests.
As long as you accept requests from the client, these requests can be forged. Deal with it.
One option is you can set an encrypted token in the request header.
The Token can be used only for single time. If the same token is sent again the server will reject it, means u have to maintain the copy of utilized tokens on the server side.
one option is to use and verify a custom header which a web browser does not send, i did a similar thing for a program of my own. Do that ontop of the other verifications you are doing. On serverside, have your server script verify the custom header and simply redirect if the header is wrong