2

Here is what I'm facing:

  • A: a client app writen in QT/C++
  • B: a server with apache+php+mysql+linux

Now A wants to post some private data to B using a RESTful interface, the problems are:

  1. how to ensure the security of the data transmission
  2. how to ensure only a legal client posting the data.

I am thinking about OpenSSL, but I don't know where to start, will someone show me the way?

PS.My client app can be downloaded freely by users without registration or any user info. then the users use my app to run a test then post their result. finally, i want to ensure those result data is posted by my client app because fake data can be annoying

xanadu
  • 33
  • 4
  • maybe this post would help http://stackoverflow.com/questions/5630512/support-for-https-using-qnetworkaccessmanager-hitting-sslerrors-at-runtime – camino Mar 08 '13 at 04:30
  • @camino: You could make your app sign the data using a private key coded into the app. – alk Mar 08 '13 at 07:41

2 Answers2

0

To transmit the data securely you need to use a SSL-encrypted connection. To start, check Apache documentation about how it works, how to generate a self-signed certificate and configure everything accordingly. You can also easily find more concise instructions on the web if you'll search.

The second part depends on your conditions. If your application works in a closed environment like intranet, then maybe you can just restrict access by IP address? Otherwise, you need some kind of authorization. You can use built-in HTTP authorization. Check the docs:

or search the web for more instructions.

In case if you already have some authorization system. Like users database. Then you will need to implement a REST API that the QT/C++ application will be able to use.

esycat
  • 1,324
  • 11
  • 10
  • Thanks. the QT client is going to distribute in a opened environment. my app doesn't need ,or cann't have, a password to post data because we cann't ask our users to register in. Then how can i know it is "my app" that posting data, rather than fake data – xanadu Mar 08 '13 at 05:17
0

Qt does nothing for you to protect your data. You should focus in securing your RDBMS first. Of course you should code your Qt client application carefully to prevent unintended behavior by checking and sanitizing all inputs, etc. but if you're not going to distribute it, this shouldn't be your most immediate concern.

If you plan to use PostgreSQL as the backend for your application, you can take some measures to mitigate the risks that comes with exposing any service to the internets. The most basic:

  • Setup a firewall with proper rules. Allow inbound connections from trusted sources only.

  • Accept SSL connections only, even with a self-signed certificate.

  • Enforce strong passwords. Use client certificates if more appropriated.

  • Set your pg_hba.conf file to only accept connections from known/trusted addresses.

A very good example to use PostgreSQL is available on git click here

Vineet1982
  • 7,730
  • 4
  • 32
  • 67
  • thank you. But my situation is kind of different with what you mentioned above. My client app can be downloaded freely by users without registration or any user info. then the users use my app to run a test then post their result. finally, i want to ensure those result data is posted by my client app because fake data can be annoying – xanadu Mar 08 '13 at 05:35