I’ve got two systems that need to talk. The systems are setup likeso:

System A, running Django (Python 2.5) on Google App Engine (GAE)

System B, running Django (Python 2.6) on Ubuntu/Linux over Lighttpd (maybe nginx, later)

System A will periodically make requests (‘requisitions’) of System B using Url Fetch.

System B has a Django app setup to listen for these requests with a urls.py with something like:

urlpatterns = patterns('producer.views',
    url(r'^requisition$', 'requisition', name='requisition'),
)

And a corresponding views.py with something like:

import json
from django.http import HttpResponse

def requisition(request):
    " do something "
    response = HttpResponse()
    response['Content-type'] = 'application/json'
    response.write(json.dumps(...))
    return response

It would be a valuable addition to security of the system if System B responded to requisitions only from System A.

I’d like to know what options are available for System B to verify that requests have come from System A. I’ve considered the following:

• Check that the IP address is from GAE (however I don’t know the GAE IP addresses, they may change, and they may be spoofed)
• Check that the reverse DNS of the IP is from GAE (however I don’t know what GAE’s DNS entries are, if they will change, and they may be spoofed)
• Use a TLS client certificate from System A – but I don’t know how to do this with GAE
• Do a challenge/response based on something shared, like a salt, with pycrypto

Ideally I want to end up with a views.py with something likeso:

... 
from django.http import HttpResponseForbidden 

def requisition(request):
   " do something "
  if not verify_request_origin():
     return HttpResponseForbidden("Denied.")

  response = HttpResponse()
  ...

Where verify_request_origin() returns true when the request made to System B was from System A on GAE.

Thank you and I look forward to hearing your thoughts.