You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I would like to be able to include a nonce in the canonical string for added security. Would you be in favor of adding this feature?
If not, do you have any suggestions for a workaround? In my use case, I think I could put a nonce in the request body and Content-MD5. Is this reasonable?
The text was updated successfully, but these errors were encountered:
Hi @JeffKandel, I don't see how adding a nonce would provide added security. Could you elaborate?
HMAC authentication is already protected against replay attacks by having things like the timestamp be part of the canonical string. We also by default reject requests older than 15 minutes for additional security.
The use of a nonce doesn't add a new layer of defense, but it doesn't fortify the system again replay attacks. The option is a nice-to-have in my case, but I could imagine some projects with stricter requirements to use a nonce. If you agree, we could chat about implementation and I'd be happy to try it out.
I would like to be able to include a nonce in the canonical string for added security. Would you be in favor of adding this feature?
If not, do you have any suggestions for a workaround? In my use case, I think I could put a nonce in the request body and Content-MD5. Is this reasonable?
The text was updated successfully, but these errors were encountered: