Answer the question
In order to leave comments, you need to log in
How to secure the server when receiving a POST?
Hey! I have two servers. One sends files to another via curl to download.
Is it worth sending a token so that the receiving side checks the source, or is it enough to know that the POST comes from a trusted domain?
Answer the question
In order to leave comments, you need to log in
The usual thing is to add a signature: sha256 (data collected in a string + a key known to both parties). And check it, discarding other requests.
For example, my hoster (Timeweb) regularly probes my scripts with its robots, which are accessed externally. From payment systems, for example. Even though there are no references to them anywhere. Either they are looking for bots, or something else. Naturally, it is more expensive to process such requests.
Read how to make the right REST API (for POST and not only).
Briefly: three additional parameters are needed (besides the API request parameters): HASH, RANDOM, TIMESTAMP.
HASH - we form according to TOKEN (we receive it in advance from the server) based on all the data transmitted when requesting the API: API parameters, RANDOM and TIMESTAMP.
We check the signature upon receipt of the request and compare it with HASH: if the signature is equal to HASH, we execute the request.
Input data that we want to trust:
1. Domain name of the API client: domain_expected
2. TXT record of the API client domain: TXT_record_expected
Available data (when receiving an API request from the client):
3 API Client IP: IP(1)
When initializing a new session (before generating a new token), you can make 3-4 DNS queries to any public DNS server (before generating a token!):
1. reverse_lookup (API client IP(1) to domain name(1)) => recognized the domain(1).
2. lookup (domain(1) to IP(2) by A-record) => learned IP(2)
3. reverse_lookup (IP(2) to domain name(2)).
4. Optional: you can check for the presence of the desired TXT records (and any others) and compare with the expected ones (the so-called "static public token").
After receiving all the data, check:
If the expression is true, then we issue a token to the client IP that has applied to provide access to this client to start working with our API.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question