This repository was archived by the owner on Oct 25, 2024. It is now read-only.
This repository was archived by the owner on Oct 25, 2024. It is now read-only.
Validate date header to protect against replay attacks #2
Description
The http-signature security audit recommends that server implementations validate the required Date header to be within a 5 minutes skew interval.
https://web-payments.org/specs/source/http-signatures-audit/#replay-http
Excerp:
As the default scheme is to include the
Dateheader in the signature, service providers SHOULD protect against logged replay attacks by enforcing a clock skew. The server SHOULD be synchronized with NTP, and the recommendation is to allow 300 seconds of clock skew (in either direction).