350-401 · Question #598
How can an engineer prevent basic replay attacks from people who try to brute force a system via REST API?
The correct answer is A. Add a timestamp to the request In the API header.. Timestamps Stop Replay Attacks Adding a timestamp to the API request header is the correct defense against replay attacks because it creates a time-limited validity window - if an attacker captures and retransmits a request, the server can reject it if the timestamp is expired (t
Question
How can an engineer prevent basic replay attacks from people who try to brute force a system via REST API?
Options
- AAdd a timestamp to the request In the API header.
- BUse a password hash
- CAdd OAuth to the request in the API header.
- DUseHTTPS
How the community answered
(51 responses)- A80% (41)
- B12% (6)
- C2% (1)
- D6% (3)
Explanation
Timestamps Stop Replay Attacks
Adding a timestamp to the API request header is the correct defense against replay attacks because it creates a time-limited validity window - if an attacker captures and retransmits a request, the server can reject it if the timestamp is expired (typically beyond 5–15 minutes old), making replayed requests useless. Option B (password hashing) protects stored credentials but does nothing to prevent a captured valid request from being resent. Option C (OAuth) improves authentication and authorization but doesn't inherently prevent replay attacks on its own, as a token can still be captured and reused within its validity period. Option D (HTTPS) encrypts data in transit, stopping interception, but if a request is captured, HTTPS alone won't prevent it from being replayed.
Memory Tip: Think of a timestamp as an expiration date on milk - even if someone steals it, it becomes worthless after a short time. "Replay attacks need fresh requests, so timestamps make them stale."
Topics
Community Discussion
No community discussion yet for this question.