I’m in the process of architecting a mobile application and we’re considering adding header security to the PHP file that’s currently generating the app’s XML data. So when the app requests the XML document it also sends a custom header with a secret key and some other encrypted values that the PHP script can validate.
Sorry for a dumb question but why use headers to pass secret keys at all? It’s much easier to pass the keys and other required data in $_GET parameters. If you are communicating over HTTPS then $_GET parameters are encrypted. If you are using HTTP then the headers are also sent in plain text just like $_GET. If you are worried about non-secure $_GET parameters being stored in server or proxy logs then you could pass them via $_POST. In either case I don’t see how passing values via headers increases security.
Doing a bit more digging it seems unless we’re using SSL there’s no way to ensure the server is talking to a valid client. In order words no way to protects against MITM attacks. Shame.