Home/ Questions/Q 7635461
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-31T07:25:54+00:00

I’ve got two servers on two locations. Server 1 subtracts client-information (like addresses, email

  • 0

I’ve got two servers on two locations.
Server 1 subtracts client-information (like addresses, email and telephone numbers) of server 2 via a php CURL session with a custom user agent which server 2 checks. Server 2 serves a JSON string.

I want to make sure two things:

  1. If some one sniffs my packages it won’t see the actual data;
  2. If some one tries to call the php page on server 2 (with the proper
    user agent) en got served something it isn’t making sense to them
    (e.g.: the clients email or telephone number).

After looking at different methods I was thinking to encrypt the JSON text string on server 2; get it with curl from server 1; and decrypt it with a shared key.

Things i would like to know:

  1. Which cipher should I use?
  2. Is this overkill?
  3. Or is there a better way to achieve this?

BTW: merging the two servers is not an option!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Instead of implementing your own encryption routine, I’d recommend serving your json data from server 2 over https, that will take take care of the encryption nicely.

    Note that you do not need to purchase a certificate, you can self-sign server2 and have curl in server1 allow “insecure” https connection (insecure means that the cert is not trusted, but the data is still encrypted).

    To whitelist who is allowed to request data from server 2, whitelist by ip if you are able. Another way (or in addition), could be a simple signature system with a shared secret.

    For illustration, set up a custom http header when server 1 makes the request (say “My-Signature”) and use a set up your signature “algorithm” (simple example in php below):

    $sig = sha1($user_agent
            . $date_header_value
            . $http_request_path
            . $http_query_string
            . $http_raw_post_payload
            . $shared_secret);

    Then you can set up the request header:

    My-Signature: $sig

    You can make your signature system as complicated as you’d like. The idea is that server2 knows the same signature “recipe”, can extract all the fields it needs from the request headers, the query string, and post payload, and use the shared secret to compute the signature on its side.

    Compare the computed signature, to the signature passed in the My-Signature header and serve the request if they match. If not, serve a 403 response page.

    • 0