Secure requests between different apps

Assume there are two different apps on appengine- one powered by Go and another by PHP

They each need to be able to make specific requests to eachother, purely over the backend network (i.e. these are the only services that need to make these specific requests- other remote requests should be blocked).

What is the best-practices way of doing this? Off the top of my head, here are 3 possible solutions and why I am a bit worried about them

1) Do not keep them as separate apps, but rather modules

The problem with this is that using modules introduces some other annoyances- such as difficulties with Channel Presence reporting. Also, conceptually, these 2 requests are really the only places they touch and it will be clearer to see what's going on in terms of database usage etc. if they are separated. But the presence issue is more of a show-stopper

2) Append the request with some hardcoded long secret key and only allow response if via SSL

It seems a bit strange to rely on this, since the key would never change... theoretically the only way it could be known is if an administrator on the account or someone with the source revealed it... but I don't know, just seems strange

3) Only allow via certain IP ranges (maybe combined with #2)

This just seems iffy, can the IP ranges be definitively known?

4) Pub/Sub

So it seems AppEngine allows a pub/sub mechanism- but that doesn't really fit my use case since I want to get the response right away - not via a postback once the subscriber processes it

All of them
-- As a side point, assuming it is some sort of https request, is this done using the Socket API for each language?

HTTPS is of course an excellent idea in general (not just for communication between two GAE apps).

But, for the specific use case, I would recommend relying on the X-Appengine-Inbound-Appid request header: App Engine's infrastructure ensures that this cannot be set on requests not coming from GAE apps, and, for requests that do come from GAE apps (via a url-fetch that doesn't follow redirects), the header is set to the app-id.

This is documented for Go at https://cloud.google.com/appengine/docs/go/urlfetch/ , for PHP at https://cloud.google.com/appengine/docs/php/urlfetch/ (and it's just the same for Java and Python, by the way).

> * purely over the backend network
> * Only allow via certain IP ranges

These requirement are difficult to impossible to fulfill with app engine infrastructure because you're not in control of the physical network routes. From the app engine FAQ:

> App Engine does not currently provide a way to map static IP addresses to an application. In order to optimize the network path between an end user and an App Engine application, end users on different ISPs or geographic locations might use different IP addresses to access the same App Engine application.

Therefore always assume your communication happens over the open network and never assume anything about IPs.

> Append the request with some hardcoded long secret key

The hard coded long secret does not provide any added security, only obscurity.

> only allow response if via SSL

This is a better idea; encrypt all of your internal traffic with a strong algorithm. For example, ECDHE-RSA or ECDHE-ECDSA if available.