Allow message to be verified

[alexellis]

Feature: Non-repudiation for queue-worker callbacks

Suggested by: Ed Wilde @ewilde

We can use HMAC or RSA and HMAC together to sign messages when we use the X-Callback-Url. This means that receivers of the callback messages can verify the sender as the queue worker vs. some bad actor that discovered the URL.

[alexellis]

Via @ewilde https://tools.ietf.org/html/draft-cavage-http-signatures-05

[ewilde]

I've created a conceptual diagram for the http signatures flow: diagram

[ewilde]

Derek assign: ewilde