I've got two systems that need to talk. The systems are setup likeso:
System A
, running Django (Python 2.5) on Google App Engine (GAE)
System B
, running Django (Python 2.6) on Ubuntu/Linux over Lighttpd (maybe nginx, later)
System A will periodically make requests ('requisitions') of System B using Url Fetch.
System B has a Django app setup to listen for these requests with a urls.py
with something like:
urlpatterns = patterns('producer.views',
url(r'^requisition$', 'requisition', name='requisition'),
)
And a corresponding views.py
with something like:
import json
from django.http import HttpResponse
def requisition(request):
" do something "
response = HttpResponse()
response['Content-type'] = 'application/json'
response.write(json.dumps(...))
return response
It would be a valuable addition to security of the system if System B responded to requisitions only from System A.
I'd like to know what options are available for System B to verify that requests have come from System A. I've considered the following:
Ideally I want to end up with a views.py
with something likeso:
...
from django.http import HttpResponseForbidden
def requisition(request):
" do something "
if not verify_request_origin():
return HttpResponseForbidden("Denied.")
response = HttpResponse()
...
Where verify_request_origin() returns true when the request made to System B
was from System A
on GAE.
Thank you and I look forward to hearing your thoughts.
There is absolutely no way to know with certainty if a request came from a browser or something else making an HTTP request. The HTTP protocol allows for the client to set the User Agent arbitrarily.
An HTTP request is made out of three components: request line, headers and message body.
HTTP works as a request-response protocol between a client and server. Example: A client (browser) sends an HTTP request to the server; then the server returns a response to the client. The response contains status information about the request and may also contain the requested content.
It sounds like it would suffice to use SSL on the link and include a password in the query string.
SSL keeps out sniffers, and you're not going to reveal the queries outside systems under your control, so a shared secret will do (and will be more secure than IP tracking, as other GAE sites will use those addresses).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With