5
I am creating a central system that validates information coming from other client systems via post and I would like to know if it would be possible for someone to make a false post request by posing as one of those clients? Using, for example, the HTTP_REFERER of a client?
If so, what can I do to protect myself?
7
Yes, it is possible to forge all an HTTP request. Never trust client-side data.
Regardless of your architecture, if your server is communicating with other systems it is essential that these systems are authenticated. The most guaranteed way to do this is via SSL/TLS, with certificates on both server and client side. This guarantees both the authenticity of the communication and its confidentiality.
In a web setting (http server + browser) a server-side security certificate is used, signed by a Certification Authority (CA). On the client side, the user authenticates with a username and password. Alternatively, using also a certificate, but this is rare. The way this is done is by authenticating only the server during the handshake (Handshake) of SSL/TLS and - established a secure communications channel - this channel is used to transmit additional authentication data (user and client password). Once this is also authenticated, both share a secret key (Session key) which is checked with each individual request (in the browser, this key is usually in a cookie).
This is the most common mode of operation, but is not the most suitable for cases where one system communicates with another system. If you have control over all the systems involved, first of all you don’t have to pay a CA to sign your certificate - you manually install it on every client that communicates with your server. In addition, each client machine can also have its own certificate, the one registered in the server machine. When establishing the secure connection, both the client validates the server certificate, and the server validates the client certificate. Once this connection is established, you can then trust it 100% and use all HTTP methods at will, no matter if it’s GET, POST, or something else.
Check your platform for SSL/TLS support and certificate authentication. For example, Java has SSLSession and C# o SslStream. How exactly to implement this is something I unfortunately don’t have enough experience to help. Anyway, regardless of whether you follow this suggestion or not, it is important that client authentication is done in some way, not relying on Referer or in any other connection parameter.
Browser other questions tagged security-guard http post
You are not signed in. Login or sign up in order to post.
I think it is recommended to use some kind of authentication (login and password)... Or some system that the initial request is a code to get the real data, your server receives this code and makes the request to the client’s domain, if it is false the client will refuse...
– Jader A. Wagner