Signature scope
12.6.3.4.1.1. Defining the signature scope

The scope of the signature - i.e. the set of headers and optionally the body that are verified to be part of the signature - is specified by the configuration.

It is defined by the following properties:

  • "Digest": defines whether a hash value of the HTTP request body is added to the HTTP headers.
  • "Signature Header Verifications": defines the set of HTTP headers of the request that must be part of the signature. It supports the following types:
    • "Mandatory HTTP Signature Header": The header must be part of the signature unless an additional condition (presence of another header or presence of a request body) is not met.
    • "Whitelist HTTP Signature Header": Ensures that only the whitelisted headers are in the signature.

According to the STET specification (V1.4.1.3 - 20190115) - section 3.5 ("Applicative authentication") - the following settings should be used:

IAM Config Property
Value
Description
Digest
"HTTP Instance Digest Verification" with allowed algorithms SHA-256.
Ensures that the HTTP request body - if present - is hashed. The hash value is transferred as HTTP header "Digest".
Signature Headers
Verifications
Values of type "Mandatory HTTP Signature Header":
Header Name
HTTP Signature Header Plugin
Condition
(request-target)
Request Target HTTP Signature Header
-
Digest
String HTTP Signature Header
HTTP Request Body Is Present (see Description)
Date
String HTTP Signature Header
-
Content-Type
String HTTP Signature Header
-
Content-Length
String HTTP Signature Header
HTTP Request Body Is Present
X-Request-ID
String HTTP Signature Header
-
PSU-IP-Address
String HTTP Signature Header
HTTP Request Header is Present
PSU-IP-Port
String HTTP Signature Header
HTTP Request Header is Present
PSU-HTTP-Method
String HTTP Signature Header
HTTP Request Header is Present
PSU-Date
String HTTP Signature Header
HTTP Request Header is Present
PSU-User-Agent
String HTTP Signature Header
HTTP Request Header is Present
PSU-Referer
String HTTP Signature Header
HTTP Request Header is Present
PSU-Accept
String HTTP Signature Header
HTTP Request Header is Present
PSU-Accept-Charset
String HTTP Signature Header
HTTP Request Header is Present
PSU-Accept-Encoding
String HTTP Signature Header
HTTP Request Header is Present
PSU-Accept-Language
String HTTP Signature Header
HTTP Request Header is Present
PSU-GEO-Location
String HTTP Signature Header
HTTP Request Header is Present
PSU-Device-ID
String HTTP Signature Header
HTTP Request Header is Present
Ensure that HTTP headers are part of the signature.
The STET specification states that the "Digest" header must always be present, even if there is no body in the request. The recommended setting, i.e. only require the Digest header if there is a body, may be more robust in practice.