I am building a game similar to HQ trivia, that when someone gives all the correct answers at the end of the game he or she gets money sent to their Paypal account, my concern is obviously security.
The game will send an HTTPS request to a backend API which will then make a request to the Paypal API and make a payment of X dollars to the player's Paypal account.
How do I protect the game from someone sending fraudulent manual HTTP requests to the backend API, and consequently sending let's say 1M transactions of $10 to their own Paypal account?
These are some security layers I came up with so far: - CSRF - Human interaction accepting or declining every payment before taking place - Algorithm to filter consequent HTTP request from the same IP or to the same Paypal account
I assume not but, would that be enough?
