Encode/obfuscate HTTP parameters

Question

We are currently working on a very simple Webapp, and we would like to \"obfuscate\" ( what would be the right term? ) or encode somehow the request parameter, so

Answer 1

If you're trying to restrict access to data then use some kind of login mechanism with a cookie providing a Single Sign On authentication key. If the client sends the cookie with the key then they can manipulate the data in accordance with the authorities associated with their account (admin, public user etc). Just look at Spring Security, CAS etc for easy to use implementations of this in Java. The tokens provided in the cookie are usually encrypted with the private key of the issuing server and are typically tamper proof.

Alternatively, if you want your public user (unauthenticated) to be able to post some data to your site, then all bets are off. You must validate on the server side. This means restricting access to certain URIs and making sure that all input is cleaned.

The golden rule here is disallow everything, except stuff you know is safe.