chas — 2012-11-14T09:10:53-05:00 — #1
I'm in the process of architecting a mobile application and we're considering adding header security to the PHP file that's currently generating the app's XML data. So when the app requests the XML document it also sends a custom header with a secret key and some other encrypted values that the PHP script can validate.
Any suggestions on a robust way to achieve this?
I see IBM has documented something similar but it's designed for SOAP requests.
Thanks for your help
lemon_juice — 2012-11-14T10:09:41-05:00 — #2
Sorry for a dumb question but why use headers to pass secret keys at all? It's much easier to pass the keys and other required data in $GET parameters. If you are communicating over HTTPS then $GET parameters are encrypted. If you are using HTTP then the headers are also sent in plain text just like $GET. If you are worried about non-secure $GET parameters being stored in server or proxy logs then you could pass them via $_POST. In either case I don't see how passing values via headers increases security.
chas — 2012-11-14T11:05:43-05:00 — #3
Not a dumb question at all. I'm approaching this from fairly basic understanding of implementing security solutions in PHP.
Didn't think to use $_POST, thanks. Budget on this atm is limited so HTTPS may not be an option.
chas — 2012-11-14T11:29:34-05:00 — #4
Doing a bit more digging it seems unless we're using SSL there's no way to ensure the server is talking to a valid client. In order words no way to protects against MITM attacks. Shame.