I’m developing an App that sends data to a PHP API backend via POST requests. E.g a user inputs text into a box, user press send, send POST to server, server processes and stores in Db.
How should I send and validate the POST requests as to stop attacks and abuse? For example:
Even if a correct Username & Password is inserted into each POST body to be validated on the backend, a user could send a fake POST request when not in the App.
In addition to the point above, the user could also use that method to spam post requests and overload the backend API.
Ideally, all POST requests to the backend API should be sent from the App. What is the best way to validate incoming requests as to prevent abuse and attackers?