Re: Design an encrypted time-limited API on Client/Server side

Thu, 09 Jun 2016 08:04:24 -0700 

On Jun 9, 2016 4:59 AM, "Philip Lee" <redstone-c...@163.com> wrote:
>
> I am planning design an encrypted time-limited API on both Client and
Server sides, the server side is written in Django, the client side is a
GUI program which call the API by
>
> import requests
> c = requests.post("http://127.0.0.1:8000/VideoParser/";, data={'videoUrl':
videoUrl })
>
> The way it call the API is desperately exposed to those who can use
network traffic capturing tools like wireshark and fiddler, while I don't
want anyone else could call the API with their customized videoUrl, and if
people made the post call with the same parameters 2 minutes later after
the client initially made the call, the call should be valid or expired, so
how to design the encrypted time-limited API on both Client and Server side
in this case ?
>

This is the exact reason HTTPS was invented. If you are concerned about
data privacy and integrity during transport, implement HTTPS on your server
and force the client to use it. You should also be authenticating and
authorizing users for the same reason.

> ________________________________
>
> P.S. I think add an identifier to the post data could prevent them using
the API
>
> import requests
> c = requests.post("http://127.0.0.1:8000/VideoParser/";, data={'videoUrl':
videoUrl, 'identifier':value_of_identifier })
>
> provided there is something encrypted in the value_of_identifier and it
changes with each call, but I don't know how to get started, any idea ?
>

The obfuscation techniques you are proposing will only make your life
miserable and will probably be trivial for an attacker to figure out.

Focus your energy on getting HTTPS properly in place.

-James

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/CA%2Be%2BciVQs_kq0QT-SSsMGmWQuS54eu0c-vxz973C5Te25XL5Sg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to