{"id":16843213,"url":"https://github.com/jbowes/httpsig","last_synced_at":"2025-03-22T05:31:14.989Z","repository":{"id":47060493,"uuid":"376024103","full_name":"jbowes/httpsig","owner":"jbowes","description":"HTTP Request Signing with ✨ STANDARDS ✨","archived":false,"fork":false,"pushed_at":"2024-02-21T16:24:03.000Z","size":41,"stargazers_count":27,"open_issues_count":10,"forks_count":9,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-03-18T08:48:08.899Z","etag":null,"topics":["go","golang","hacktoberfest","http","signature"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jbowes.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-06-11T12:51:38.000Z","updated_at":"2025-03-07T05:22:00.000Z","dependencies_parsed_at":"2024-06-19T22:51:02.130Z","dependency_job_id":"5e85a31c-5516-4d49-afa0-96761d699d1c","html_url":"https://github.com/jbowes/httpsig","commit_stats":null,"previous_names":[],"tags_count":14,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jbowes%2Fhttpsig","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jbowes%2Fhttpsig/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jbowes%2Fhttpsig/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jbowes%2Fhttpsig/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jbowes","download_url":"https://codeload.github.com/jbowes/httpsig/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244912800,"owners_count":20530764,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["go","golang","hacktoberfest","http","signature"],"created_at":"2024-10-13T12:49:59.749Z","updated_at":"2025-03-22T05:31:13.913Z","avatar_url":"https://github.com/jbowes.png","language":"Go","readme":"\u003c!--\n Attractive html formatting for rendering in github. sorry text editor\n readers! Besides the header and section links, everything should be clean and\n readable.\n--\u003e\n\u003ch1 align=\"center\"\u003ehttpsig\u003c/h1\u003e\n\u003cp align=\"center\"\u003e\u003ci\u003eStandards-based HTTP request signing and verification for \u003ca href=\"https://golang.org\"\u003eGo\u003c/a\u003e\u003c/i\u003e\u003c/p\u003e\n\n\u003cdiv align=\"center\"\u003e\n \u003ca href=\"https://pkg.go.dev/github.com/jbowes/httpsig\"\u003e\u003cimg src=\"https://pkg.go.dev/badge/github.com/jbowes/httpsig.svg\" alt=\"Go Reference\"\u003e\u003c/a\u003e\n \u003cimg alt=\"Alpha Quality\" src=\"https://img.shields.io/badge/status-ALPHA-orange.svg\" \u003e\n \u003ca href=\"https://github.com/jbowes/httpsig/actions/workflows/go.yml\"\u003e\u003cimg alt=\"Build Status\" src=\"https://github.com/jbowes/httpsig/actions/workflows/go.yml/badge.svg?branch=main\"\u003e\u003c/a\u003e\n \u003ca href=\"./LICENSE\"\u003e\u003cimg alt=\"BSD license\" src=\"https://img.shields.io/badge/license-BSD-blue.svg\"\u003e\u003c/a\u003e\n \u003ca href=\"https://codecov.io/gh/jbowes/httpsig\"\u003e\u003cimg alt=\"codecov\" src=\"https://img.shields.io/codecov/c/github/jbowes/httpsig.svg\"\u003e\u003c/a\u003e\n \u003ca href=\"https://goreportcard.com/report/github.com/jbowes/httpsig\"\u003e\u003cimg alt=\"Go Report Card\" src=\"https://goreportcard.com/badge/github.com/jbowes/httpsig\"\u003e\u003c/a\u003e\n\u003c/div\u003e\u003cbr /\u003e\u003cbr /\u003e\n\n## Introduction\n\n`httpsig` provides support for signing and verifying HTTP requests according\nto the [HTTP Message Signatures][msgsig] draft standard. This standard focuses\non signing headers and request paths, and you probably want to sign the\nrequest body too, so body digest calculation according to\n[Digest Headers][dighdr] is included.\n\nSigned HTTP requests are ideal for scenarios like sending webhooks, allowing\nrecievers to securely verify the request came from your server, mitigate replay\nattacks, etc.\n\nContrary to the commonly-used `x-hub-signature`, The standards implemented by\nthis package provide a signature of the entire request, including HTTP headers\nand the request path.\n\n## Usage\n\n### Signing HTTP Requests in Clients\n\nTo sign HTTP requests from a client, wrap an `http.Client`'s transport with\n`NewSignTransport`:\n\n```go\nclient := http.Client{\n\t// Wrap the transport:\n\tTransport: httpsig.NewSignTransport(http.DefaultTransport,\n\t\thttpsig.WithSignEcdsaP256Sha256(\"key1\", privKey)),\n}\n\nvar buf bytes.Buffer\n\n// construct body, etc\n// ...\n\nresp, err := client.Post(\"https://some-url.com\", \"application/json\", \u0026buf)\nif err != nil {\n\treturn\n}\ndefer resp.Body.Close()\n\n// ...\n```\n\n### Verifying HTTP Requests in Servers\n\nTo verify HTTP requests on the server, wrap the `http.Handler`s you wish to\nprotect with `NewVerifyMiddleware`. `NewVerifyMiddleware` returns the wrapping\nfunc, so you can reuse configuration across multiple handlers.\n\n```go\nh := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\tw.Header().Set(\"Content-Type\", \"text/plain\")\n\tio.WriteString(w, \"Your request has an valid signature!\")\n})\n\nmiddleware := httpsig.NewVerifyMiddleware(httpsig.WithVerifyEcdsaP256Sha256(\"key1\", pubkey))\nhttp.Handle(\"/\", middleware(h))\n```\n\nFor more usage examples and documentation, see the [godoc refernce][godoc]\n\n## The Big Feature Matrix\n\nThis implementation is based on version `06` of [HTTP Message Signatures][msgsig]\n(`draft-ietf-htttpbis-message-signatures-05` from 8 June 2021). Digest\ncomputation is based on version `05` of [Digest Headers][dighdr]\n(`draft-ietf-httpbis-digest-headers-05` from 13 April 2021).\n\n| Feature | | | Notes |\n| ------------------------------- | - | - | ---------------------------------------------------------------------- |\n| sign requests | ✅ | | |\n| verify requests | ✅ | | |\n| sign responses | | ❌ | |\n| verify responses | | ❌ | |\n| add `expires` to signature | | ❌ | sorely needed |\n| enforce `expires` in verify | ✅ | | |\n| `@method` component | ✅ | | |\n| `@authority` component | ✅ | | |\n| `@scheme` component | | ❌ | |\n| `@target-uri` component | | ❌ | |\n| `@request-target` component | | ❌ | Semantics changed in draft-06, no longer recommented for use. |\n| `@path` component | ✅ | | |\n| `@query` component | ✅ | | Encoding handling is missing. |\n| `@query-params` component | | ❌ | |\n| `@status` component | | ❌ | |\n| request-response binding | | ❌ | |\n| `Accept-Signature` header | | ❌ | |\n| create multiple signatures | ✅ | | |\n| verify from multiple signatures | ✅ | | |\n| `rsa-pss-sha512` | ✅ | | |\n| `rsa-v1_5-sha256` | | ❌ | |\n| `hmac-sha256` | ✅ | | |\n| `ecdsa-p256-sha256` | ✅ | | |\n| custom signature formats | | ❌ | `eddsa` is not part of the spec, so custom support here would be nice! |\n| JSON Web Signatures | | ❌ | JWS doesn't support any additional algs, but it is part of the spec |\n| Signature-Input as trailer | | ❌ | Trailers can be dropped. accept for verification only. |\n| Signature as trailer | | ❌ | Trailers can be dropped. accept for verification only. |\n| request digests | ✅ | | |\n| response digests | | ❌ | Tricky to support for signature use according to the spec |\n| multiple digests | | ❌ | |\n| digest: `sha-256` | | ❌ | |\n| digest: `sha-512` | | ❌ | |\n| digest: `md5` | | ❌ | Deprecated in the spec. Unlikely to be supported. |\n| digest: `sha` | | ❌ | Deprecated in the spec. Unlikely to be supported. |\n| digest: `unixsum` | | ❌ | |\n| digest: `unixcksum` | | ❌ | |\n| digest: `id-sha-512` | | ❌ | |\n| digest: `id-sha-256` | ✅ | | `id-*` digests are more resilient for `content-encoding` support |\n| custom digest formats | | ❌ | |\n\n## Contributing\n\nI would love your help!\n\n`httpsig` is still a work in progress. You can help by:\n\n- Opening a pull request to resolve an [open issue][issues].\n- Adding a feature or enhancement of your own! If it might be big, please\n [open an issue][enhancement] first so we can discuss it.\n- Improving this `README` or adding other documentation to `httpsig`.\n- Letting [me] know if you're using `httpsig`.\n\n\u003c!-- These are mostly for pkg.go.dev, to show up in the header --\u003e\n## Links\n\n- [HTTP Message Signatures standard][msgsig]\n- [Digest Headers standard][dighdr]\n- [Modern webhook signatures][myblog]\n\n\u003c!-- Other links --\u003e\n[go]: https://golang.org\n[msgsig]: https://datatracker.ietf.org/doc/draft-ietf-httpbis-message-signatures/\n[dighdr]: https://datatracker.ietf.org/doc/draft-ietf-httpbis-digest-headers/\n[myblog]: https://repl.ca/modern-webhook-signatures/\n\n[godoc]: https://pkg.go.dev/github.com/jbowes/httpsig\n[issues]: ./issues\n[bug]: ./issues/new?labels=bug\n[enhancement]: ./issues/new?labels=enhancement\n\n[me]: https://twitter.com/jrbowes\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjbowes%2Fhttpsig","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjbowes%2Fhttpsig","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjbowes%2Fhttpsig/lists"}