Some web hosting control panels work this same way: Monster Controls is just one that comes to mind. Your approach with the various components has been done before and it makes sense. Since security is #1, your service should only accept instruction verified to have come from the cgi and that it came from an authorized user (you). You might be able to do this with public / private key crypto: Provide your application your private key (or your passphrase to your private key) to encrypt messages bound for the service, and let the service decrypt messages with your public key. The question then becomes how much do you trust your cgi application? Or your browser? But I think that's a different topic - if somebody compromised the cgi, they could capture your passphrase or key, and if somebody compromised your browser (desktop), they could key-log your passphrase / key.