We're just launching a new data store that will be populated with various kinds of user activity. How do I make sure that the data submitted to the datastore by the client, which is a browser in this use case, is not malicious?<p>Should I provide a nonce to the client and then validate that nonce when the data is submitted? If so, how should I implement this nonce function? Where can I find a peer reviewed nonce function implementation?<p>I think that determining malicious activity in general is a hard problem, and would involve detecting things such as:<p>rate of data submission
normal-ness of behavior
adherence to expected data structure<p>I expect that I will have to implement 1-3 on my own, but if I’m going to use a nonce I’d prefer not to roll my own.<p>Is a nonce worthwhile? If I’m just serving a nonce to a browser, that only requires that any malicious actor make HTTP requests and execute javascript, (as is possible with http://phantomjs.org/) extract the nonce, and then make a malicious request.<p>I’m out of my depth here, and would love some advice!