James Lin wrote:
Do you really want to be sending URLs with the request? Better tohardcode the destination on the server-side and only send the arguments from js.No, not really, but I want to make the proxy as generic as possible without hardcoding the webservice urls, but like you said having the js to post the complete webservice url it will have security concerns.Maybe add some string encryption on the url? will it work?
If you encrypt it, what will the key be? Will it be one key for for all plugins, one key per server or one key per request? Where will it be stored, can an attacker get hold of it or determine what it is?
Checksumming would obviously not be good enough, but an HMAC may be. But for an HMAC you need a key ... see the discussion above.
If you can, the best way is to have a list of URLs that is configured by a privileged user (which is what I'd read for "hardcoded", because genuinely hard coded would be too difficult to manage).
Cheers Andy -- DokuWiki mailing list - more info at http://wiki.splitbrain.org/wiki:mailinglist
