Verify source of HTTP request

I've got two systems that need to talk. The systems are setup likeso:

System A, running Django (Python 2.5) on Google App Engine (GAE)

System B, running Django (Python 2.6) on Ubuntu/Linux over Lighttpd (maybe nginx, later)

System A will periodically make requests ('requisitions') of System B using Url Fetch.

System B has a Django app setup to listen for these requests with a urls.py with something like:

urlpatterns = patterns('producer.views',
    url(r'^requisition$', 'requisition', name='requisition'),
)

And a corresponding views.py with something like:

import json
from django.http import HttpResponse

def requisition(request):
    " do something "
    response = HttpResponse()
    response['Content-type'] = 'application/json'
    response.write(json.dumps(...))
    return response

It would be a valuable addition to security of the system if System B responded to requisitions only from System A.

I'd like to know what options are available for System B to verify that requests have come from System A. I've considered the following:

Check that the IP address is from GAE (however I don't know the GAE IP addresses, they may change, and they may be spoofed)
Check that the reverse DNS of the IP is from GAE (however I don't know what GAE's DNS entries are, if they will change, and they may be spoofed)
Use a TLS client certificate from System A - but I don't know how to do this with GAE
Do a challenge/response based on something shared, like a salt, with pycrypto

Ideally I want to end up with a views.py with something likeso:

... 
from django.http import HttpResponseForbidden 

def requisition(request):
   " do something "
  if not verify_request_origin():
     return HttpResponseForbidden("Denied.")

  response = HttpResponse()
  ...

Where verify_request_origin() returns true when the request made to System B was from System A on GAE.

Thank you and I look forward to hearing your thoughts.

How can I tell where a HTTP request came from?

There is absolutely no way to know with certainty if a request came from a browser or something else making an HTTP request. The HTTP protocol allows for the client to set the User Agent arbitrarily.

What are the 3 parts in HTTP request line?

An HTTP request is made out of three components: request line, headers and message body.

What is HTTP request example?

HTTP works as a request-response protocol between a client and server. Example: A client (browser) sends an HTTP request to the server; then the server returns a response to the client. The response contains status information about the request and may also contain the requested content.

It sounds like it would suffice to use SSL on the link and include a password in the query string.

SSL keeps out sniffers, and you're not going to reveal the queries outside systems under your control, so a shared secret will do (and will be more secure than IP tracking, as other GAE sites will use those addresses).

Verify source of HTTP request

Tags:

Brian M. Hunt

People also ask

1 Answers

Andrew Aylett

Recent Activity

Donate For Us

Verify source of HTTP request

Tags:

Brian M. Hunt

People also ask

1 Answers

Andrew Aylett

Related questions

Recent Activity

Donate For Us