HTTP signature
- Małgorzata Woźniak
- Janina Mincer-Daszkiewicz
Levels of estimated error severity.
If an error is present in the context of an API (or endpoint), it applies only to that API (or endpoint).
Critical | This severity level implies that the process always/usually works badly. |
MAJOR | This severity level implies that the process works badly in some cases. |
MEDIUM | This flaw results in unfavorable behavior but the system remains functioning. |
LOW | This type of flaw won’t cause any major breakdown in the system. |
List of identified issues in this category (click on the title to show details)
Description | The format of Date or Original-Date header included in the client's request or the server's response is invalid. A typical problem is using wrong timezone. The specification says: "The format of the Original-Date header, if included, MUST match the "regular" format of the Date header, as defined in RFC 2616." and the RFC says: "All HTTP date/time stamps MUST be represented in Greenwich Mean Time (GMT), without exception.". |
|---|---|
Estimated severity | Critical |
Examples | A valid value:
Invalid values:
|
Suggested action | Enforce absolute compliance with the specification |
How communicated | Monitoring system Problem occurred for at least 4 providers in the DEV network |
Description | The time in Date or Original-Date header included in the client's request or the server's response doesn't match current time. The specification says: "(...) you MUST make sure that your clock is synchronized (otherwise your clients won't be able to use your service)." |
|---|---|
Estimated severity | Critical |
Examples |
|
Suggested action | Synchronize clocks |
How communicated | Monitoring system Problem occurred for at least 3 providers in DEV (link1, link2) |
Description | The value in Digest header included in the client's request or the server's response is invalid. Possible issue might be that the digest is calculated before the content is fully encoded. The specification says: "Many frameworks or proxies might try to automatically modify your response after you sign it. For example, they may try to add additional gzip coding to your response's Content-Encodings if they detect that the client supports it. In many cases, this would be a good thing, but in this case, such changes could break your HTTP Signature (because we sign the content after it has been encoded). Make sure that you disable such automatic modifications when you use HTTP Signatures for signing." |
|---|---|
Estimated severity | Critical |
Examples |
|
Suggested action | Enforce absolute compliance with the specification |
How communicated | Monitoring system Problem occurred for at least 2 providers in PROD and probably for 11 providers in DEV (link1, link2) |
Description | A client sends a request to a server, but rejects the server's keyId, or a server receives a request from a client, but rejects the client's keyId, even though the keyId is valid. The client/server might be misconfigured and using the wrong registry, i.e. PROD instead of DEV, or vice versa. |
|---|---|
Estimated severity | Critical |
Examples |
|
Suggested action | Enforce absolute compliance with the specification |
How communicated | Problem occurred for at least 5 providers in PROD (link1, link2) and for app. 3 providers in DEV (link1, link2) |
Description | The signature included in the client's request or the server's response is invalid. It may be a problem with proxies replacing the Date header, thus invalidating the signature. The specification says: "If your proxy is replacing the Date header, and you cannot reliably reconfigure it to not do so, then you MAY use the Original-Date header as a replacement for the Date header." |
|---|---|
Estimated severity | Critical |
Examples |
|
Suggested action | Enforce absolute compliance with the specification |
How communicated | Problem occurred for at least 5 providers in PROD (link1, link2) and for app. 3 providers in DEV (link1, link2) |