I am using curl post to exchange data between my three sites. I need to secure the data exchange by confirming whether the POST request in sent from either of my three sites.
Right now I have implemented the request header check but the request headers can also be manipulated. Is there a fool proof way to achieve this?
分享 I'm working on a RESTful service and also think about how I ensure the communication between service and authorized clients. After lengthy research I decided on the following solution.
Each client (application) has a public ID and a private key. The public ID can be up. The private key, only the client and the service know.
With each request, the client must authenticate it does with HTTP Basic Authentication. The username is the public ID. The password is a SHA1 token. The token is generated by the combination of the public ID, the transmitted parameters and the private key.
When the service receives a request, he knows by the username which client has made this request. It generates a token with the same method and compares it with the password. Are the two token identical, the client is entitled to make the request. Additionally, it is ensured that the parameters are not manipulated.
分享
