Skip to main content

B.4. HTTP Message Transformations

B.4. HTTP Message Transformations

HTTP allows intermediaries and applications to transform an HTTP message without affecting the semantics of the message itself. HTTP message signatures are designed to be robust against many of these transformations in different circumstances.

For example, the following HTTP request message has been signed using the Ed25519 algorithm and the key test-key-ed25519:

NOTE: '' line wrapping per RFC 8792

GET /demo?name1=Value1&Name2=value2 HTTP/1.1 Host: example.org Date: Fri, 15 Jul 2022 14:24:55 GMT Accept: application/json Accept: / Signature-Input: transform=("@method" "@path" "@authority"
"accept");created=1618884473;keyid="test-key-ed25519" Signature: transform=:ZT1kooQsEHpZ0I1IjCqtQppOmIqlJPeo7DHR3SoMn0s5J
Z1eRGS0A+vyYP9t/LXlh5QMFFQ6cpLt2m0pmj3NDA==:

The signature base string for this message is:

"@method": GET "@path": /demo "@authority": example.org "accept": application/json, / "@signature-params": ("@method" "@path" "@authority" "accept")
;created=1618884473;keyid="test-key-ed25519"

The following message has been altered by adding the Accept-Language header field as well as adding a query parameter. However, since neither the Accept-Language header field nor the query is covered by the signature, the same signature is still valid:

NOTE: '' line wrapping per RFC 8792

GET /demo?name1=Value1&Name2=value2&param=added HTTP/1.1 Host: example.org Date: Fri, 15 Jul 2022 14:24:55 GMT Accept: application/json Accept: / Accept-Language: en-US,en;q=0.5 Signature-Input: transform=("@method" "@path" "@authority"
"accept");created=1618884473;keyid="test-key-ed25519" Signature: transform=:ZT1kooQsEHpZ0I1IjCqtQppOmIqlJPeo7DHR3SoMn0s5J
Z1eRGS0A+vyYP9t/LXlh5QMFFQ6cpLt2m0pmj3NDA==:

The following message has been altered by removing the Date header field, adding a Referer header field, and collapsing the Accept header field into a single line. The Date and Referer header fields are not covered by the signature, and the collapsing of the Accept header field is an allowed transformation that is already accounted for by the canonicalization algorithm for HTTP field values. The same signature is still valid:

NOTE: '' line wrapping per RFC 8792

GET /demo?name1=Value1&Name2=value2 HTTP/1.1 Host: example.org Referer: https://developer.example.org/demo Accept: application/json, / Signature-Input: transform=("@method" "@path" "@authority"
"accept");created=1618884473;keyid="test-key-ed25519" Signature: transform=:ZT1kooQsEHpZ0I1IjCqtQppOmIqlJPeo7DHR3SoMn0s5J
Z1eRGS0A+vyYP9t/LXlh5QMFFQ6cpLt2m0pmj3NDA==:

The following message has been altered by reordering the field values of the original message but not reordering the individual Accept header fields. The same signature is still valid:

NOTE: '' line wrapping per RFC 8792

GET /demo?name1=Value1&Name2=value2 HTTP/1.1 Accept: application/json Accept: / Date: Fri, 15 Jul 2022 14:24:55 GMT Host: example.org Signature-Input: transform=("@method" "@path" "@authority"
"accept");created=1618884473;keyid="test-key-ed25519" Signature: transform=:ZT1kooQsEHpZ0I1IjCqtQppOmIqlJPeo7DHR3SoMn0s5J
Z1eRGS0A+vyYP9t/LXlh5QMFFQ6cpLt2m0pmj3NDA==:

The following message has been altered by changing the method to POST and the authority to "example.com" (inside the Host header field). Since both the method and authority are covered by the signature, the same signature is NOT still valid:

NOTE: '' line wrapping per RFC 8792

POST /demo?name1=Value1&Name2=value2 HTTP/1.1 Host: example.com Date: Fri, 15 Jul 2022 14:24:55 GMT Accept: application/json Accept: / Signature-Input: transform=("@method" "@path" "@authority"
"accept");created=1618884473;keyid="test-key-ed25519" Signature: transform=:ZT1kooQsEHpZ0I1IjCqtQppOmIqlJPeo7DHR3SoMn0s5J
Z1eRGS0A+vyYP9t/LXlh5QMFFQ6cpLt2m0pmj3NDA==:

The following message has been altered by changing the order of the two instances of the Accept header field. Since the order of fields with the same name is semantically significant in HTTP, this changes the value used in the signature base, and the same signature is NOT still valid:

NOTE: '' line wrapping per RFC 8792

GET /demo?name1=Value1&Name2=value2 HTTP/1.1 Host: example.org Date: Fri, 15 Jul 2022 14:24:55 GMT Accept: / Accept: application/json Signature-Input: transform=("@method" "@path" "@authority"
"accept");created=1618884473;keyid="test-key-ed25519" Signature: transform=:ZT1kooQsEHpZ0I1IjCqtQppOmIqlJPeo7DHR3SoMn0s5J
Z1eRGS0A+vyYP9t/LXlh5QMFFQ6cpLt2m0pmj3NDA==:

Last updated on