tls – Sending Post Requests Server to Server

I am creating a web application that is sending sensitive data between servers. I need to take user inputted web form data from website 1 (abc.com) and post the data to website 2 (xyz.com/api). Website 2 will capture the data from website 1 and score it and then return a json response that will be published in the user’s browser on website 1.

Both websites will have https.

An Asymmetric-Key using Open SSL will be used.

  • Website 1 will use open ssl to encrypt all data with a generated public key before sending and website 2 will unlock data with private key known by website 1 and 2.

  • With the transmission of the data, Website 1 will also send a signature with openssl_sign signed with the private key and that will be checked with a public key on website 2.

  • Response from website 2’s api will be sent back to Website 1 in json.

  • Before website 2 processes the posted request, it will verify the
    domain is authorized, it will verify the signature with
    openssl_verify and will verify the timestamp is within limits. It will sanitize data before processing it into a database.

In my application I have used php curl on website 1 to post to the api on website 2.

In my below questions, assume the web form on Website 1 is using best practices for validation and to sanitize the inputted data.

Here are my questions:

  1. Is this a secure model for a sever to server communication? Should I be considering other items?

  2. Do I need to be worried about the security of accepting post data from php curl?

  3. Instead of php curl what other methods can be used to post data to the api that may be more secure?

  4. Is it necessary to use open_ssl to encrypt the Json response from website 2 back to website 1?

  5. Is there a better model to accomplish the above?