Yes, the `int_csm` value is the checksum the server expected instead of the one I had passed. It would tell you "you're wrong. But here is the correct answer". I could then just re-submit with the proper value…
Hmm, if that was me (as the server programmer) I'd return a purposely different checksum[1] in the error message and then (internally) flag anything that was then submitted with that 'incorrect' checksum.
What you do with these flagged entries is up to you:-
a) Delete the scores after an hour or so (giving the chance for the user to check things)
b) Only display those scores to the user that logged in
c) Flag the entire account as 'cheat' and ban it after a few dodgy submissions
etc...
1. i.e. expected hash is hash(real_salt+data), supposed expected hash (returned to client in error message) is hash(cheat_salt+data). You obviously never return the real expected hash.
I wrote it up here: http://timotheeboucher.com/on-writing-laconic-error-messages... but the gist of it was that their score submission endpoint required a checksum, but the error message if the checksum was wrong was:
Yes, the `int_csm` value is the checksum the server expected instead of the one I had passed. It would tell you "you're wrong. But here is the correct answer". I could then just re-submit with the proper value…