4

I'm writing a WCF service, the purpose of which is to authenticate clients using a shared secret key. Each configured client will have it's own unique shared key, that only the client and the service know of. Part of this process means the auth service needs to be able to look up the configured shared key for each client when they request to be authenticated. The service is using the webHttpBinding, so I'd like to use an HTTP header for this if possible.

Is there a better header for the clients of this service to use than the "Referrer" header to declare their identification?

Improve this question

1 Answer 1

Reset to default
3

Referer is probably not a good choice, as I guess the client will know the URI of the server in advance (hardcoded or from a config), and the standard says:

“The Referer field MUST NOT be sent if the Request-URI was obtained from a source that does not have its own URI”

I think either Authorization with a custom scheme (see also RFC 2617), or a non-standard header like X-Client-Id, would be a reasonable choice.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.