It seems you are letting any client with a session token update the entire wall.... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		pona-a 27 days ago \| parent \| context \| favorite \| on: Show HN: The HTML Maze – Escape an eerie labyrinth... It seems you are letting any client with a session token update the entire wall. The endpoint simply takes the base64 PNG and sets it as the wall. I was thinking maybe taking a diff, limiting its maximum area, and rate-limiting might at least discourage that.

kyrylo 27 days ago [–]

Thanks for the heads-up. You’re absolutely right! Rate-limiting could help, but it would make quick strokes difficult, so I decided against it.

I’ve already implemented a few measures, but I’d rather not share the details publicly.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact