Have one Django application send a message to another Django application

I’m facing a use case in which I have a django app that needs to send a POST request to another django app to register some data.

What’s a good, secure way to have a django backend send data to another django backend, authenticating the message without using anything too fancy?

Using the knowledge from cryptography class, my instinct would have me have a public/private key pair for the sender app; then have the sender “decrypt” the payload with its private key, and have the recipient app “encrypt” it with the public key upon receiving it.

Is there anything (library, app, etc.) that works more or less like that? I wouldn’t want to have to implement that from scratch to avoid coming up with something potentially insecure.

Any input is welcome.

That you are trying to send from a Django instance doesn’t really affect anything.

If you’ve got a Django instance accepting POST requests from any source, that Django application needs to have some type of security. Whatever you implement on the receiving end determines what you’re going to do on the sending side.

For example, if your web app accepts a username / password combination for authentication, your sending app could use the same facilities - do a GET on the login page, POST the credentials, GET a form, POST the form data.

On the other hand, if your receiving app accepts a JSON POST, you might be able to add fields to the sending app to directly include the credentials.

If the two apps are running on the same system or even in the same network, you can probably be safe enough with doing some additional filtering by requesting IP address.

With an HTTPS transmission, you don’t need to independently encrypt the payload - it’s already encrypted.

You really don’t need to get very sophisticated with this. A username / password pair (with a long randomized password) is almost certainly going to be sufficient for any reasonable use.

1 Like

Thank you. The issue with this approach is that I was going to (due to requirements for the receiving app) disable username/password login altogether on the receiving app, and only allow login through google account using django rest social oauth2. I could leave the regular login enabled just for that, but I would rather take another path if at all possible.

The two apps will indeed be running on the same vps. I guess I could just require a “passcode” field with a pre-defined (long & random) value be present in the payload, and have the recipient discard any messages without it. Would that be safe enough, given that the payload is already encrypted due to the HTTPS transmission?

Yes, absolutely. There’s no need to get fancy with this. All you want is something to prevent someone without the right knowledge from submitting a post request to that URL.

1 Like