Signed Headers: A Safety Net for Application Security
Cryptographically signed headers are a failsafe authentication mechanism for protecting your applications when Mutual Transport Layer Security (mTLS, also known as mutual authentication) fails. Utilizing signed headers provides defense in depth to the protected application when:
- Your reverse proxy or VPN is accidentally disabled
- Your firewalls or network perimeters are misconfigured
- The application is exposed to the internet
- An internal user tries to gain unauthorized access
What are signed headers?
Signed headers take the form of JSON Web Tokens (JWT) for allowing upstream applications to verify user identification. These are included in the headers of a request.
At a minimum, a valid JWT should include the following criteria:
- A cryptographic signature from a trusted source (in this case, Pomerium)
- A timestamp that shows the JWT is not expired (found in the
expclaim) - Issuer and audience claims that match your application’s domain
This qualifies the JWT as an additional form of authentication (for the user or client), giving the application an additional layer of security than just Transport Layer Security (TLS) protocols.
How JWT authentication works with Pomerium
Think of the upstream app as the airplane at an airport and TLS as the security checkpoint (that long tunnel you walk through). Anyone boarding the airplane must first pass through the security checkpoint. When you get through security, you get a stamp on your boarding pass that authorizes you to board the airplane.
But, what if someone found a way to skip the security checkpoint and went straight to the airplane?
The airplane, like the upstream app, has no way of knowing that a passenger didn’t come through the secure connection — the TLS tunnel — but the airline attendants can check that the passenger has a stamp on their boarding pass.
A user’s signed JWT acts as the stamp: In the event of other network configuration mistakes, the app can still grant or deny users if they don’t have a signed JWT to verify their identity.
When to use signed headers?
You should use signed headers for any application sensitive enough to justify mTLS. Signed headers can be easily added to provide an additional layer of security to applications using Pomerium.
As covered earlier, signed headers provide an additional layer of security to the protected application when network or infrastructure configurations go awry, usually due to human error.
Protecting All Your Applications with Pomerium
Pomerium is the top choice for companies looking for an open-source context-aware reverse proxy to manage secure, identity-aware access to applications and services. Whether you’re spinning up a new application or trying to add access control to a legacy service, Pomerium can easily add authentication and authorization to any resource.
Our customers depend on us to secure zero trust, clientless access to their web applications everyday.
Check out our open-source Github Repository or give Pomerium a try today!
