0

I need to collect XML files from a 3rd party's web server.

These XML files are generated by said 3rd party on a daily basis (e.g. data_2015-11-26.xml) and should therefore be fetched at least daily as well, by a scheduled task of some sort, probably running on a Windows Server based OS. The files will be imported into an ERP system later on.

The suggestion by the 3rd party was to implement this with Apache's .htpasswd, i.e. password-protecting a directory with HTTP basic authentication, but over HTTPS.

I hope this question isn't too vague, but would this approach be "reasonably secure"?

What other (better) options are there? Would it make sense to additionally encrypt the XML file itself?

I'd like to keep this fairly simple, while also considering security.

Vilican
  • 2,723
  • 8
  • 22
  • 35
tuesprem
  • 3
  • 1

1 Answers1

2

The "level" of security for this really depends on what the XML files contain. If the XML files confidential data then you may want to explore further techniques than discussed here.

The suggestion of using basic auth can work however there are many reasons why you should consider using a different authentication method which has been discussed in the following question,

https://security.stackexchange.com/a/990/80801

If you're using SSL/TLS then you're more than likely fine using basic auth just consider the points made within the questions above. Another technique you may wish to consider is restricting access to the end point to only certain IP addresses. I would personally recomend using some form of authentication method provided by a framework of your choice rather than attempting to roll your own at any point.

As for the question about encrypting the files.... It wouldn't hurt to throw them into an encrypted zip as an additional layer of security. Ideally this would be protected with a different password / passphrase than the basic auth which is preshared between yourself and the third-party client.

Community
  • 1
Leth0_
  • 211
  • 1
  • 5
  • 1
    @tuesprem It isn't that difficult to generate a self signed encryption certificate using OpenSSL. Your other party can now encrypt the XML file using that cert, providing an extra layer of protection in case an attacker can find a way to retrieve the file. XML has standards and [software](http://users.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/xmlsec.html) for encrypting and decrypting data. – Andrew Philips Nov 27 '15 at 07:51
  • @AndrewPhilips I wasn't aware aware of these standards but yeah, looks good and shouldn't be too hard to implement. +1 – Leth0_ Nov 27 '15 at 07:57
  • you bet. Seems like OP was concerned about RSA and wanted to offer some encouragement. Your answer was great. – Andrew Philips Nov 27 '15 at 08:00