> Are you attempting to reencrypt the parameters with another key? If so then why run that through https?
I think they are talking about generating a hash from all of the parameters in the request + a secret, pre-shared key. Doing so prevents MITM attacks from changing the parameters.
This article also inspired me to lockdown my own API I designed, its really good advice. The question is only, they wanted to provide a very simple interface, what is the right trade-off security vs. developer UI?
I think they are talking about generating a hash from all of the parameters in the request + a secret, pre-shared key. Doing so prevents MITM attacks from changing the parameters.
IIRC, Amazon does this (among many others).