Skip to content

Add support for special headers `(created)` and `(expires)`

For these two headers you need to include them in the Signature field while signing, and read them off of the Signature header while validating. This comes from ref 11+ of the cavage draft: https://datatracker.ietf.org/doc/html/draft-cavage-http-signatures-12#section-2.1.4

See #2, https://akkoma.dev/AkkomaGang/akkoma/issues/797, https://github.com/superseriousbusiness/gotosocial/issues/2991.

Note that the following checks are yet implemented, I wonder if you would like to include them:

  • Require that created and expires are timestamps
  • Require that the two timestamps are in the past/future respectively
  • Require that keys including these two in the headers are not rsa, hmac or ecdsa

Merge request reports