The scope of the signature - i.e. the set of headers and optionally the body that are verified to be part of the signature - is specified by the configuration. It is defined by the following properties:
- "Digest": defines whether a hash value of the HTTP request body is added to the HTTP headers.
- "Signature Header Verifications": defines the set of HTTP headers of the request that must be part of the signature. It supports the following types:
- "Mandatory HTTP Signature Header": The header must be part of the signature unless an additional condition (presence of another header or presence of a request body) is not met.
- "Whitelist HTTP Signature Header": Ensures that only the whitelisted headers are in the signature.
According to the NextGenPSD2 specification (V1.3 - 20181019) - section 12.2 ("Requirements on the "Signature" Header") - the following settings should be used:
IAM Config Property | Value | Description | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Digest | "HTTP Instance Digest Verification" with allowed algorithms SHA-256 and SHA512. | Ensures that the HTTP request body - if present - is hashed. The hash value is transferred as HTTP header "Digest". | ||||||||||||||
Signature Headers Verifications | Values of type "Mandatory HTTP Signature Header":
To define the "Header Name" within the signature header plugins, use the plugin type "String HTTP Signature Header". | Ensure that HTTP headers are part of the signature. The NextGenPSD2 specification states that the "Digest" header must always be present, even if there is no body in the request. The recommended setting, i.e. only require the Digest header if there is a body, may be more robust in practice. | ||||||||||||||
Value of type "Whitelist HTTP Signature Headers":
| Ensures that no other than the listed headers are part of the signature. |