Question on secure server Expires HTTP header

Question

Question on secure server Expires HTTP header

Closed this issue 8 months ago · 2 comments

I read on your manual on Challenge expiration point that is good to use Expires HTTP header to secure server.

Can I use max-age HTTP header too or work only if I use Expires HTTP header?
How many time have to use? 3 sec, 30 sec, 60 min?

best regards,
Leonardo

Answer 1 · 2024-05-07T12:14:41.000Z

Hi Leonardo, currently only the Expires header is supported. The max-age is a part of the Cache-Control header but the challenge should not be cached at all, the expires header only tells the widget that the challenge expires. So if you also send Cache-Control, it should contain no-cache.

The duration depends on your use case. Normally, when using the challengeurl attribute, the challenge is computed right away, but remember, it might take some time to the user to submit the form - for example they want to change something after verification. But generally recommended duration is 1 hour.

You should also check the expiration on your server as well (you can put the timestamp to the salt and parse it on the server when received for the verification).

Answer 2 · 2024-05-07T13:48:08.000Z

Thank you very much,
regards,
Leonardo