I’m having a PHP script connect to and communicate with a Node.js server. The Node.js should only respond to requests from the PHP script so I need to make sure the Node server has some sort of authentication method.
Now to identify it’s actually the PHP script connecting, I was thinking of just using some cheap authentication like sending a pre-shared secret along with the request that the PHP script is making. The Node server simply compares this with it’s own secret and if they match, it can be assumed it’s the script connecting and not somebody else (assuming SSL has built-in ways to prevent replay attacks).
This whole process will be done over HTTPS which has the added bonus of the script being able to confirm the identity of the Node server.
Is this secure enough or should I do some proper SSL-based client authentication? After all, it’s over HTTPS so the pre-shared secret shouldn’t be easily sniffed out right?
HTTPS is not replayable (because the ServerHello message includes a random number used to produce the shared key for the connection), and since you are talking over a secure channel your pre-shared secret cannot be sniffed either. As a quick and not-so-dirty solution your scheme sounds fine to me.