Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature Request: Check for nonce? #168

Open
JeffKandel opened this issue Jun 14, 2018 · 2 comments
Open

Feature Request: Check for nonce? #168

JeffKandel opened this issue Jun 14, 2018 · 2 comments

Comments

@JeffKandel
Copy link

I would like to be able to include a nonce in the canonical string for added security. Would you be in favor of adding this feature?

If not, do you have any suggestions for a workaround? In my use case, I think I could put a nonce in the request body and Content-MD5. Is this reasonable?

@mgomes
Copy link
Owner

mgomes commented Jun 15, 2018

Hi @JeffKandel, I don't see how adding a nonce would provide added security. Could you elaborate?

HMAC authentication is already protected against replay attacks by having things like the timestamp be part of the canonical string. We also by default reject requests older than 15 minutes for additional security.

@JeffKandel
Copy link
Author

JeffKandel commented Jun 15, 2018

The use of a nonce doesn't add a new layer of defense, but it doesn't fortify the system again replay attacks. The option is a nice-to-have in my case, but I could imagine some projects with stricter requirements to use a nonce. If you agree, we could chat about implementation and I'd be happy to try it out.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants