views:

56

answers:

1

Hello everyone, i am trying to write a restful google app engine application (python) that accepts requests only from another GAE that i wrote. I dont like any of the ways that i thought of to get this done, please advice if you know of something better than:

  • Get SSL setup, and simply add the credentials on the request that my consuming app will send. I dont like it cause SSL will slow things down.

  • Security by obsecurity. Add a random number in my request that is in Xmod0, where X is a secret number that both applications know. I just,,,, dont like this.

  • Check the HTTP header to see where is the request coming from. This option is the one that i hate the least, not alot of processing, and spoofing an HTTP request is not really worth it, for my application's data.

Is there any other clean solution for this?

+1  A: 

Use an HMAC. Embed the same secret in each app, and sign requests and responses using the HMAC. Don't forget to include nonces and timestamps to prevent replay attacks!

Nick Johnson