I am creating a central system that validates the information coming from other client systems via post and would like to know if it would be possible for someone to make a post false request if passing through one of those clients? Using, for example, HTTP_REFERER from a client?
If yes, what can I do to protect myself?
Yes, you can forge everything in an HTTP request. Never rely on data coming from the client side.
Regardless of your architecture, if your server is communicating with other systems it is imperative that these systems are authenticated . The most guaranteed way to do this is via SSL / TLS , with both server-side and client-side certificates . This guarantees both the authenticity of the communication and its confidentiality.
In a web (http server + browser) scenario, you usually use a security certificate on the server side, which is signed by a Certificate Authority (CA). On the client side, the user authenticates with a user name and password. Alternatively, also using a certificate, but this is rare. The way this is done is by authenticating only the server during SSL / TLS handshake, and - establishing a secure communications channel if that channel to transmit the additional authentication data (user and password of the client). Once this is also authenticated, they both share a secret key ( session key ) that is checked for each individual request (in the browser, this key is usually a cookie).
This is the most common mode of operation, but is not best suited for cases where one system communicates with another system. If you have control over all the systems involved, you do not first need to pay for a CA to sign your certificate - you manually install it on each client that communicates with your server. In addition, each client machine can also have its own certificate, which is registered on the server machine. When establishing the secure connection, both the client validates the server certificate, and the server validates the client's certificate. Once this connection is established, one can then trust 100% in it, and use all HTTP methods at will, no matter if it is GET, POST, or something else.
Check your platform for SSL / TLS support and certificate authentication. For example, Java has SSLSession and C # SslStream . How to exactly implement this is something that unfortunately I do not have enough experience to help. Regardless of whether or not you follow this suggestion, it is important that client authentication is done in some way, not relying on Referer or any other parameter in the connection.
