If using HTTPS, you must specify a certificates file by calling SetCertificatesFile() with a .pem file that includes the certificate authority cert (like Verisign, Thawte, etc… or your own with OpenSSL) that signed your web server certificate. This must be called before making a request. You can use the Roku standard cert bundle (which contains certificates for most common signing authorities) stored in common:/certs/ca-bundle.crt; or download the CA certificate here.
Your web server can authenticate that the requested connection is from a Roku Streaming Player and that the request is from your application by taking the following actions:
- Add the Roku CA certificate to the web server's certificate authorities keychain. The Roku CA certificate is available in the SDK distribution package, in certs/cacert.pem
- Configure your web server to reject any connection that does not have a valid client certificate.
- , download the CA certificate.
- Check the X-Roku-Reserved-Dev-Id header in the request. It should contain the Developer ID of your application. If it does not, another application on the Roku is attempting to access the server, so the request should be rejected.