Defining the signature scope

The scope of the signature - i.e. the set of headers and optionally the body that are verified to be part of the signature - is specified by the configuration.

It is defined by the following properties:

  • Digest: defines whether a hash value of the HTTP request body is added to the HTTP headers.
  • Signature Header Verifications: defines the set of HTTP headers of the request that must be part of the signature. It supports the following types:
    • Mandatory HTTP Signature Header: The header must be part of the signature unless an additional condition (presence of another header or presence of a request body) is not met.
    • Whitelist HTTP Signature Header: Ensures that only the whitelisted headers are in the signature.

According to the STET specification (V1.4.1.3 - 20190115) - section 3.5 ("Applicative authentication") - the following settings should be used:

IAM Config Property

Value

Description

Digest

HTTP Instance Digest Verification with allowed algorithms SHA-256.

Ensures that the HTTP request body - if present - is hashed. The hash value is transferred as HTTP header Digest.

Signature Headers
Verifications

Values of type Mandatory HTTP Signature Header:

Header Name

HTTP Signature Header Plugin

Condition

(request-target)

Request Target HTTP Signature Header

-

Digest

String HTTP Signature Header

HTTP Request Body Is Present (see Description)

Date

String HTTP Signature Header

-

Content-Type

String HTTP Signature Header

-

Content-Length

String HTTP Signature Header

HTTP Request Body Is Present

X-Request-ID

String HTTP Signature Header

-

PSU-IP-Address

String HTTP Signature Header

HTTP Request Header is Present

PSU-IP-Port

String HTTP Signature Header

HTTP Request Header is Present

PSU-HTTP-Method

String HTTP Signature Header

HTTP Request Header is Present

PSU-Date

String HTTP Signature Header

HTTP Request Header is Present

PSU-User-Agent

String HTTP Signature Header

HTTP Request Header is Present

PSU-Referer

String HTTP Signature Header

HTTP Request Header is Present

PSU-Accept

String HTTP Signature Header

HTTP Request Header is Present

PSU-Accept-Charset

String HTTP Signature Header

HTTP Request Header is Present

PSU-Accept-Encoding

String HTTP Signature Header

HTTP Request Header is Present

PSU-Accept-Language

String HTTP Signature Header

HTTP Request Header is Present

PSU-GEO-Location

String HTTP Signature Header

HTTP Request Header is Present

PSU-Device-ID

String HTTP Signature Header

HTTP Request Header is Present

Ensure that HTTP headers are part of the signature.

The STET specification states that the "Digest" header must always be present, even if there is no body in the request. The recommended setting, i.e. only require the Digest header if there is a body, may be more robust in practice.