views:

17

answers:

1

I'm setting up a payment gateway on our site that we can post information to via php (so all information is hidden from prying eyes) which will post to authorize.net, post back to our gateway and post back to our current page. The purpose for this is to give us a streamlined method of processing payments and easier debugging.

I have an auth key that is required to be posted to our gateway for the transaction to be processed. Is it worth it for me to secure a list of approved URLs to accept posts from, or is that too easily manipulated?

Do you have any other ideas on what I should focus on in regards to securing my gateway?

update

This gateway has a login/key pair used for authorize.net that it submits to. I have a 64 digit md5 encoded key that I use for domain.com to communicate with gateway.domain.com which happens of course over SSL. I'm inquiring as to whether that key is enough. Given, anyone with that key could run a transaction, but why would they... it would only be giving us money.

A: 
David Wolever
I've provided more details as to our setup. It doesn't seem like OAuth is the right solution, if I'm understanding it right.
Webnet
Ah, I see: since you control `domain.com`, then that key is just fine (after all, if `domain.com` is compromised, you're in trouble no matter what). If you wanted an extra layer of security, you could also use a firewall or some other IP-based filtering to restrict access to `gateway.domain.com` (ie, so that only the `domain.com` servers can access it).
David Wolever