This invention relates generally to verifying security of an application executing on a client device, and more particularly to verification of the application when accessing a remote service at an application server through a network.
Application servers provide various content and services to client devices and applications executing on the client devices. These applications are referred to herein as a user-agent, or a user-agent application. As used herein, a user-agent is a software agent that acts on behalf of a user, such as a browser or a native application. As part of the Hypertext Transfer Protocol (HTTP), a user-agent will typically send a user-agent HTTP request to request content from another system. This request typically provides additional data describing characteristics of the user-agent, such as the identity of the user-agent providing the request, the platform on which the user-agent is executing (e.g., an operating system or a specific type of client device), and capabilities of the user-agent application (e.g., what languages the user-agent is capable of interpreting, or what input or output devices are available to the application). This helps servers identify the user-agent, and can let the servers optimize the response to that user-agent. This data describing the user-agent may be included in the request and may be part of an HTTP request header.
Application servers may provide HTML or other web pages for interpretation by the user-agent (i.e., a web browser) executing on the client device. These web pages may provide a variety of types of services that benefit from some verification of security and authenticity, such as banking, shopping, advertising, and so forth. Risks to an application's security from the perspective of the application server include cross-site scripting, viruses, malware, and automated bots. In general, attacks may prevent a user from properly viewing content provided by an application server, or request or provide unauthorized information to an application server. In the advertising context, requests for content or advertising by an automated system (e.g., a bot) may trigger presentation of an advertisement that was never viewed by an actual user, falsely triggering payment by an advertiser for the impression.
This application describes protections for Application Servers or Web Services from a variety of attacks and security threats, for instance, from potentially malicious user-agents, and protecting its customers' user-agents from various attacks like cross-site-scripting (XSS) or Man in the Middle attacks (MitM).