Plug to validate signature and digest HTTP headers

I am building an application where we have the requirement to check the digest and signature headers sent in HTTP requests.

The digest header contains a hashed version of the request body. (info)
The signature headers contains a signed hash of the other headers in the request. (info)

Using the combination of these standards the whole request an be secured.

Are there any plugs that do one or both of the above?

I have started implementing one myself, however the digest plug needs to read the body but that can only be done once for a conn.

Highly likely that you may need your plug to read the body, and stash it in the conn for downstream plugs to use. I’ve had to do that to support a legacy API where the JSON body could contain authentication info that needs to be checked on every call.

1 Like

This is more or less what we ended up doing. Couldn’t think of anything better

1 Like