I have an API endpoint where external websites can send a POST request. What would be the best way to ensure that requests are authentic and not tampered with, so they respect the principle of integrity ?
Since the data is not valuable, such as credit card information, I do not require HTTPS integration.
I looked at both HMAC and digital signatures, and I think the second option would be better, but I'm not sure if this is the way to go.
Similarly, is it enough to set the hash of the request and check it on my server?
HMAC, :
- HMAC / , , , / . , , , .
- HMAC, -, , .
, ?
. Man-in-the-middle . , , , , ! , HMAC, : man-in-the-middle , , .