Replay attacks are very popular against public APIs. What is a replay attack ? When an attacker intercepts a valid HTTP request to your API and then replay the same request again and again tricking your API into thinking that it is a valid HTTP request coming from your user. Protection Here is a very simple method that I use to protect my APIs from Replay Attacks . Client side steps 1. Generate a unique token on server for the device when app is used for the first time or if app requires login then generate token on successful login. 2. Whenever app makes a call to server it adds the following in HTTP headers Token 128 characters long random value (call it Random1 ) Current Unix Timestamp of device SHA256 of "Token+|||+Random1+|||+Timestamp" (call this result Random2 ) Server side steps When a HTTP request is received by any API it takes the following steps to verify the validity of request Check if Token is a valid token that exists in database (you can implement expiry mec...
I document random stuff on this Blog. It can be a piece of code , my personal experience, a fun fact or anything else.