Design an encrypted time-limited API on Client/Server side

12 views

Skip to first unread message

Philip Lee

unread,

Jun 9, 2016, 7:59:34 AM6/9/16

to Django users

I am planning design an encrypted time-limited API on both Client and Server sides, the server side is written in Django, the client side is a GUI program which call the API by

import requests
c = requests.post("http://127.0.0.1:8000/VideoParser/", data={'videoUrl': videoUrl })

The way it call the API is desperately exposed to those who can use network traffic capturing tools like wireshark and fiddler, while I don't want anyone else could call the API with their customized videoUrl, and if people made the post call with the same parameters 2 minutes later after the client initially made the call, the call should be valid or expired, so how to design the encrypted time-limited API on both Client and Server side in this case ?

P.S. I think add an identifier to the post data could prevent them using the API

import requests
c = requests.post("http://127.0.0.1:8000/VideoParser/", data={'videoUrl': videoUrl, 'identifier':value_of_identifier })

provided there is something encrypted in the value_of_identifier and it changes with each call, but I don't know how to get started, any idea ?

It would be better to show some code , I really don't know how to start to write code.

James Schneider

unread,

Jun 9, 2016, 11:03:23 AM6/9/16

to django...@googlegroups.com

On Jun 9, 2016 4:59 AM, "Philip Lee" <redsto...@163.com> wrote:
>
> I am planning design an encrypted time-limited API on both Client and Server sides, the server side is written in Django, the client side is a GUI program which call the API by
>
> import requests
> c = requests.post("http://127.0.0.1:8000/VideoParser/", data={'videoUrl': videoUrl })
>
> The way it call the API is desperately exposed to those who can use network traffic capturing tools like wireshark and fiddler, while I don't want anyone else could call the API with their customized videoUrl, and if people made the post call with the same parameters 2 minutes later after the client initially made the call, the call should be valid or expired, so how to design the encrypted time-limited API on both Client and Server side in this case ?
>

This is the exact reason HTTPS was invented. If you are concerned about data privacy and integrity during transport, implement HTTPS on your server and force the client to use it. You should also be authenticating and authorizing users for the same reason.

> ________________________________
>
> P.S. I think add an identifier to the post data could prevent them using the API
>
> import requests
> c = requests.post("http://127.0.0.1:8000/VideoParser/", data={'videoUrl': videoUrl, 'identifier':value_of_identifier })
>
> provided there is something encrypted in the value_of_identifier and it changes with each call, but I don't know how to get started, any idea ?
>

The obfuscation techniques you are proposing will only make your life miserable and will probably be trivial for an attacker to figure out.

Focus your energy on getting HTTPS properly in place.

-James

Reply all

Reply to author

Forward

0 new messages