Closed judgej closed 8 years ago
The purpose is to somewhat make clear that the message is really from Payone, additionally to the IPv4 source address which can be easily forged.
For exactly the reason you stated we strongly recommend making the Transaction Status receiver available to Payone through a secure connection. I'll emphasize this in the documentation.
Closed with d962ff7
Okay, thanks. The key is just an authentication check. and tamper-protection happens in the transport.
All clear :-)
What is the purpose of the key sent with the transaction status message? My first thought was that it offers some tamper protection, but it doesn't hash any items in the sent message, so it can't.
It is more like including a password with every request, which is okay so long as the status message is over a secure connection. With a man-in-the-middle attack, the transaction can be tampered with and that tampering could not be detected. So what is the point of it?