0

I am currently running a public web api that runs on PHP. I was thinking of adding a local node server with which the PHP can interact. It would allow me to do stuff like passing off long running operation to node, allowing me to respond to the user quickly instead of blocking the php script while the long operation is running. After the operation completes, I can use firebase to send a push message, informing the user that his operation is complete.

The Php service is secured through SSL but i was thinking that I could maybe run the local node server through HTTP because its local anyway. Its not accessable through a public IP.

Would this be a secure solution?

CantThinkOfAnything
  • 103
  • 2

1 Answers1

1

If I understand correctly, in the first case, all operations are made on the service accessible on the public IP. In the second case, operations are offloaded to a second service running on localhost.

It seem to me that in both cases, your security is dependent of the security of the public service, assuming you try to protect yourself against somebody trying to hijack your service from the exterior.

Have a nice day.

MathieuR
  • 131
  • 6
  • Well yeah,, the public service is the entry point so its security should be tight. But would it for example be possible for a network infiltrator, who managed to get into the network through other means than the public API, to intercept the traffic between the public service and the localhost service? Maybe i should make a new question of this – CantThinkOfAnything Nov 08 '17 at 11:46
  • Assuming you are on Linux, to intercept the traffic on your local interface an attacker would need to have root privileges on the server. If somebody can achieve this, It pretty mean than your security policy was defeated and the server can't be considered trustful nor any data or process running on it safe. Adding HTTPS on the localhost service is a free (in time and computing resources) way to make the attacker task a little harder, but if the attacker is already there then you have already lost, as he have many options to cause damage to your system or steal your data. – MathieuR Nov 08 '17 at 11:55