Post method shows url!!

I heard that if we use the post method to send and receive data, the URL address will be hidden in the browser and inspect window. But I tried and it was visible in inspector. In this case, anyone can easily hack it.

Please look below screenshots:

Yup, that happens.

A thing to consider is that the dev tool is used by the browser, does not exist in an app form.

Several things to consider regarding the POST action:

You can and should obfuscate the variable names in the links (POSTs), or at least use things not overly obvious (userid, password, etc).

And perhaps add some extra values, also obfuscated to act as decoys/fakes.

You can encrypt and or encode the variable post values within your code which the server knows how its encrypted and decrypts it on received.

You can add double checks like a MD5 hash between 2 posted values, or even from 2 combined values (1 from a previous post) and check the hash server side again.

You can add several methods of increasing values that do not correspond with numbers.

A returned value double check, where the received value is send back to the app and double checked.

A check server side that tracks 'irregular' values versus expected values. (i.e. normally only 5 points gets added, suddenly >100 gets added)

And a lot more options to make it harder to manipulate what is send and what is accepted upon reception.

It will never be 100% safe, but in reality, that goes for most information online, it's generally a matter of how much effort was poured into protection, and how much time and energy an abuser is willing to spent to make hos hack happen ....

Thank you for all your excellent and comprehensive tips

it's fine if u use https

it's fine if u use https

How come ?

Whether https or http is used, the user instantiating the app could still be able to see the involved URL and the post parameters ...

even if u send a password as plain text if it'S through https it's encrypted so other people can'T steal it

Your missing the point:

at no point prior is data sent visible

Because this is not true for the browser having the app or game running.

If I simply copy the link from the inspector, and paste it in my adress bar (with or without altered values) my transmission goes through ... and IF that link is using https ... it will also go over https

https is security between user <--> host

But in this scenario, the user is a potential culprit .. (for example, wanting to cheat with the biggest highscore)

Your missing the point:

> at no point prior is data sent visible

Because this is not true for the browser having the app or game running.

If I simply copy the link from the inspector, and paste it in my adress bar (with or without altered values) my transmission goes through ... and IF that link is using https ... it will also go over https

https is security between user <--> host

But in this scenario, the user is a potential culprit .. (for example, wanting to cheat with the biggest highscore)

Sorry, I hit the reply button to early. See edit in post above

In order to hide transaction calls from the player, you would need to encrypt the payload on client side and decrypt it on the server. Obfuscating variable names seems to be a poor measure, since ?asda34859=4000000 can be crosschecked with the score the player has made in that session and figure out that asda34859 is the score variable - not to mention development hell to map the obfuscated variables with the real database names.

For starters, you could encode your payload in base64 and split the string in 2-3 variables.

Yup, thats some measure you can apply to make it harder to tamper.

There are a lot more options to make it harder, like some mentioned earlier.