I'm trying to minimize the vulnerability of the update server that hosts my updates (msi, exe) by limiting potential downloads only to updater.
As an example, let's consider that the following URLs (note they are rewritten) are used by updater and updates server,
updater URL : http://my_domain/downloads/product_name/updates/v15
license verification URL : http://my_domain/downloads/product_name ... fy_license
First of all the license verification URL is called by updater, and I'd like to pass some application specific token (security token) back to the updater along with success code after license verification process.
Afterwards, updater.exe starts actual downloading by calling my download URL and I'd like updater to pass my application generated token back to my application in order to verify that the request came from a valid updater (actually a client that passed verification....) rather than it was requested using browser...
Is there any such mechanism or something else that can help me to find a workaround?
Thank you in advance,