We have 2 Sites, lets call them www.site-1.com and www.site-2.com
We want a Php program on site-1.com to pass data to site-2.com securely, so something like this:
www.site-2.com/process.php?value_1=99&value_2=87
and for process.php on site-2.com do its processing based on data passed to it by site-1.com
and send a result back securely to site-1.com
What is the best way to do this in the opinion of Php Gods here?
We have some ideas how to do this, but I like to get your ideas on how to do this task.
Like most gods I work better with a sacrifice. Ideally a goat but any sort of livestock will do. Or maybe even an elePHPant http://php.net/elephpant.php
You’re basically just talking about a run of the mill API requests/response.
You could use a PHP library, or just fake it. Security is the big issue. You’ll want the receiving script to validate the request came from your site-1 and nowhere else. This could be via IP check, a handshake, whatever. It’s not much different that just submitting a cross site POST. You just have to prevent cross site attacks.
The Goat is on its way
Meanwhile, I am aware of Curl. But was wondering if there was a new cooler way of doing this.
And when you say make sure Site has SSl, which one you means Site-1 that is sending data to Mother (Site2) for processing? Or Site2 that does the processing and then sends results back to Child (Site1)?
Actually the simple suggestion of yours maybe the most secure idea I have heard.
That is Mother (Site2) should only accept data from trusted IPs which of course we will set and the Child(Site1) should only accept results back from Mother if it has the trusted IP. This simple req, will make this communication between Mother and Children secure for sure without an doubt. Thanks.
With respect to SSL, if your don’t use https then pretty much anyone can listen in on your communications. Which is perhaps not very secure. So site 2 (as a minimum) should only support https connections.
Using IP address offers additional protection though they can be spoofed. You can also consider including a “secret key” in your request headers as an additional check.
I guess the bottom line is that security generally requires a multi-layer approach. Make sure you understand what security is before trying to implement it.
Not that I know of. Even by today’s standards and the latest encryption and SSH/HTTPS connections for ecommerce payment processing, the tools still communicate over plain old cURL.
For example, there has been big fuss about TLS 1.1 being deprecated in favor of TLS 1.2 and some processors like Authorize.net won’t accept older TLS. This means every ecommerce store that uses some auth.net plugin of some sort, will need to support TLS 1.2. An example I came across recently was with WooCommerce on a Wordpress store, they used an auth.net plugin. The server required TLS 1.2 and cURL 7.34 to use it.
In any case, just saying there is nothing wrong or old school about cURL. If you’re going over secure connections though, make sure the version of cURL on the server is up to par with needed TLS versions. And TLS 1.2 is going to need OpenSSL 1.0.1 at the least, though 1.0.2 or higher is better (if your server uses OpenSSL).