SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    ...
    Join Date
    Jan 2002
    Location
    London, UK
    Posts
    759
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Adding header security to public app data?

    Hi

    I'm in the process of architecting a mobile application and we're considering adding header security to the PHP file that's currently generating the app's XML data. So when the app requests the XML document it also sends a custom header with a secret key and some other encrypted values that the PHP script can validate.

    Any suggestions on a robust way to achieve this?

    I see IBM has documented something similar but it's designed for SOAP requests.


    Thanks for your help

    Charlie

  2. #2
    SitePoint Guru bronze trophy
    Join Date
    Dec 2003
    Location
    Poland
    Posts
    925
    Mentioned
    7 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Chas View Post
    So when the app requests the XML document it also sends a custom header with a secret key and some other encrypted values that the PHP script can validate.
    Sorry for a dumb question but why use headers to pass secret keys at all? It's much easier to pass the keys and other required data in $_GET parameters. If you are communicating over HTTPS then $_GET parameters are encrypted. If you are using HTTP then the headers are also sent in plain text just like $_GET. If you are worried about non-secure $_GET parameters being stored in server or proxy logs then you could pass them via $_POST. In either case I don't see how passing values via headers increases security.

  3. #3
    ...
    Join Date
    Jan 2002
    Location
    London, UK
    Posts
    759
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Not a dumb question at all. I'm approaching this from fairly basic understanding of implementing security solutions in PHP.

    Didn't think to use $_POST, thanks. Budget on this atm is limited so HTTPS may not be an option.

  4. #4
    ...
    Join Date
    Jan 2002
    Location
    London, UK
    Posts
    759
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Doing a bit more digging it seems unless we're using SSL there's no way to ensure the server is talking to a valid client. In order words no way to protects against MITM attacks. Shame.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •