How to protect GAE server-side calculation logic?

Question

Let\'s say I have 100 fields in the html form. When all fields are filled in, some score is calculated and shown to the user (let\'s say the score value is from 0 to 3000).

Answer 1

There is not a single solution to this. You may attempt make it hard for the user to hack it and to do so undetected and apply the coercive measures possible.

• use an "enabler" cookie (or set a session flag) when the user displays the form and check for this specific cookie or flag before you hand the response. Clear the enabler once a response has been provided and don't allow submissions for those who already submitted
• randomize field names and check at the server side if the fields have the proper random names
• use a cookie to check if the user already submitted the form (it's easy to defeat)
• check for user agent against popular HTTP libraries (and don't allow people to submit forms with them)
• monitor if the same IP makes lots of submissions - imprecise, but may indicate something fishy

Those are the first ideas that come to my mind. There will most likely be other insightful comments with others.