-1

I have a web application and I need to securely log all the user activities. I need to know when they access specific pages and take specific actions like clicking a button. If I have the frontend send this data to the backend, it would be easy for the user to prevent that request from being sent out. I need the implementation to be reliable. I've thought about taking the implementation to the back end but the endpoints are pretty generic and aren't indicative of the specific action the user was taking on the frontend. I know this is really an open ended question, but any ideas would be much appreciated.

Random guy
  • 1
  • 1

2 Answers2

1

As for the information security, HTTPS connection must be used for messaging to the server, so no MITM attack is possible and the data is encoded.

Going to the reliability, you could use service workers for some kind of event accumulating and sending. Usage of the same domain for logging would stop amateur users from global message blocking. Some kind of message hashing like "security through obscurity" would save the service from content regexps solutions.

About server misuse: as far as I can see, there is no good solution, as user input should always be filtered and cleaned, one could only expect the functionality not to be a target of hacker attack.

Let's make mental experiment: someone found out the data flow from frontend, and tries to attack the site. As I see, there is several ways to do that:

  1. DDOS on the endpoint, but it does not make a lot of CPU-bounded operations, although could be i/o bounded, but endpoint rate limits could solve the issue.

  2. Malformed data trying to make some kind of SQL-injection. This attack could be solved by accepting strict rules and message formats.

  3. Malformed data trying to break service's metrics, but being an attack target makes the site some kind of a big service, so 99.9 percentile for metrics calculation could leave out those distribution outliers.

So, the main attack vectors could not easily provide some benefits for the hackers, especially, when the service is a black box, what makes any attacks on the functionality useless.

Sindbag
  • 331
  • 3
  • 15
0

1.Basically,when front tier need to be logged,most of the time libraries like slf4j,log4j2 should be sufficient to log the activities.You may probably want to place the logger at a servlet filter level and then deploy it as usual.

2.If still you want to be more secure,you may use a application monitoring tool like datadog and capture the activities.

However frontend class must be hooked in with logger in anycase.

chandra Kalita
  • 37
  • 2