Signed Header

“Signed headers” typically refer to a security practice used in web applications and APIs to ensure the integrity and authenticity of data being transmitted between a client and a server. This practice involves digitally signing certain HTTP headers to provide a way for the server to verify that the request has not been tampered with and that it was indeed sent by the claimed sender.

Utilizing signed headers provides defense in depth to the protected application when:

• Your reverse proxy or VPN is accidentally disabled
• Your firewalls or network perimeters are misconfigured
• The application is exposed to the internet
• An internal user tries to gain unauthorized access

Here’s how the process generally works:

1. Request Generation: When a client (such as a user’s browser or an application) sends an HTTP request to a server, it includes specific headers in the request, such as “User-Agent” and “Date.”
2. Digital Signature: Before sending the request, the client calculates a cryptographic hash (often using a hashing algorithm like SHA-256) of the request payload, including the headers and the request body (if present). This hash is then encrypted using the client’s private key to create a digital signature.
3. Header Addition: The digital signature is added as a separate header in the request, commonly named something like “X-Signature” or “Authorization.” This header contains the client’s public key, the hash algorithm used, and the actual signature.
4. Server Verification: Upon receiving the request, the server retrieves the public key associated with the client and uses it to decrypt the digital signature. It then recalculates the hash of the received headers and payload and compares it to the decrypted signature. If they match, it indicates that the request has not been altered in transit and is indeed from the claimed sender.

By using signed headers, applications can prevent various types of attacks, such as data tampering and replay attacks, and ensure that the requests are genuine and untampered. This technique is commonly employed in secure API communication, where both the client and server have agreed upon a shared cryptographic mechanism for signing and verifying headers.