Simple HTTP Access Authorisation

Mon, 14. Jun 2010

Categories: en sysadmin Tags: apache authentication authorisation Basic Authentication Cram htaccess HTTPS mod_rewrite rest restful RewriteCond RewriteRule

sometimes you may want to lock down RESTful APIs or plain HTTP GET resources for authorised access by your own client software only, without requiring authentication. You don’t know who (not authenticated), but you know she may access (is authorised).

If the server has a valid SSL certificate based on a root certificate pre-installed on the iPhone among the simplest ways to do it are:

1RewriteEngine On
2RewriteCond %{HTTP:My-Secret-Token} !=WRdsWXwwTZjEIRrgD5tODVf0U
3RewriteRule ^.*$ - [forbidden,last]
4# Test: $  curl --header "My-Secret-Token:WRdsWXwwTZjEIRrgD5tODVf0U"

Decompiling an App may raise the bar high enough though hard-coded secrets surely aren’t bulletproof Secret Service grade quality. If you don’t want the password or secret token as literal string inside the App, synthesize it at runtime.

If your transport channel isn’t confidential (e.g. plain HTTP, not HTTPS) you might think about Digest Authentication or a custom implemented CRAMish mechanism which I will not go into in this post.

P.S.: Here are some really nice .htaccess examples.