How to protect the Callback API vk event handler from being spoofed?

L

LNK2017-07-29 20:09:30

PHP

LNK, 2017-07-29 20:09:30

Greetings. I'm interested in the question of how to protect the vk Callback API event handler from spoofing - after all, everyone can send a request to my server, as if they were VK and thus manage the community. How to make sure that the request came from the VKontakte server?
If SSL certificates are needed specifically for this, then please tell us the principle of protection here. After all, someone can register their SSL certificate and access my server on behalf of VK, but over a secure connection...

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

S

Sergey Sokolov, 2017-07-29
@NikHaker

VK added the "Secret key" parameter to the Callback API settings for groups:

Screen

U

userfordownload, 2017-08-01
@userfordownload

You are a bit off topic on ssl)
in 2 words:
You give VK your certificate (Figure 1).
And you also attach a certificate to the bot server (THEY ARE UNIQUE, it is impossible to create 2 "identical" certificates).
When requested, they are compared and the will - substitution is IMPOSSIBLE,
This is all very conditional and rude))))