Bitcoin Forum

I'm creating a bitcoin site which automatically pays out bitcoin under certain circumstances. My plan is to have a php page which accepts data via POST and if the received data is correct it will pay out bitcoins.

I am wondering whether this is safe? The data sent over POST contains all the information required to send bitcoins. Is it possible for some '1337 haxor' to sniff out POST data?

If so, what about if the page that sends data via POST- and the page that receives data via POST- are both hidden behind a logon. I.e. the entire contents of both pages are hidden within a if($login->isUserLoggedIn() == true) statement- is this enough? Or is it trivial to get around this too?

Thanks chaps

This has been answered elsewhere. The answer was https!

Be careful with sending sensitive information as POST data with PHP. A user can use a breakpoint like with Charles Proxy to examine and even edit POST data.

http://www.tinywall.info/2014/04/how-to-edit-request-response-hack-tamper-website-any-browser-from-PC-with-Charles.html
http://www.charlesproxy.com/documentation/proxying/breakpoints/

Here's a lesson I learned when launching a BTC game and using POST data instead of a DB to communicate important information.
https://bitcointalk.org/index.php?topic=794468.msg8959853#msg8959853

Not all woes are solved by https for making a site secure.

Development guide for secure web apps:  https://github.com/OWASP/DevGuide
Infrastructure scanning: https://www.qualys.com

-Consider where you're hosted, look for a hosting provider that has met NIST, PCI, FINRA, HIPPA or other certifications. No one should be able to call them and social engineer access.

-Review security on your domain. Make sure no one can transfer your domain or call them up and social engineer a transfer or DNS controls.

-Your database should be encrypted in transmit (when you're accessing it) and at rest (when it's offline)

-Enforce strong passwords and multifactor authentication for access, especially for administrative functions.

-Use logging for access for your systems and for your application (add/moves/changes)

-If you use encryption algorithms in your application, avoid SHA1, DES, and MD5. Use key lengths greater than 1024 bits.
-Don't store private keys on the same system or in code. You should make them non-exportable.

Look for other resources to help you develop a secure system and application.

Thanks for posting that.
I didn't know about Charles web debugging proxy.
Now I know :)

When you battle with the above post of coinableS, you should take this 2 thread into considerations also https://bitcointalk.org/index.php?topic=1121072.0 and https://bitcointalk.org/index.php?topic=880995.0
They are really good when used positively but their negative usage could make someone to bleed.