Adding header security to public app data?


I’m in the process of architecting a mobile application and we’re considering adding header security to the PHP file that’s currently generating the app’s XML data. So when the app requests the XML document it also sends a custom header with a secret key and some other encrypted values that the PHP script can validate.

Any suggestions on a robust way to achieve this?

I see IBM has documented something similar but it’s designed for SOAP requests.

Thanks for your help


Sorry for a dumb question but why use headers to pass secret keys at all? It’s much easier to pass the keys and other required data in $_GET parameters. If you are communicating over HTTPS then $_GET parameters are encrypted. If you are using HTTP then the headers are also sent in plain text just like $_GET. If you are worried about non-secure $_GET parameters being stored in server or proxy logs then you could pass them via $_POST. In either case I don’t see how passing values via headers increases security.

Not a dumb question at all. I’m approaching this from fairly basic understanding of implementing security solutions in PHP.

Didn’t think to use $_POST, thanks. Budget on this atm is limited so HTTPS may not be an option.

Doing a bit more digging it seems unless we’re using SSL there’s no way to ensure the server is talking to a valid client. In order words no way to protects against MITM attacks. Shame.