Give choice in signed headers

Question

Give choice in signed headers

sleg-aws opened this issue 4 years ago · 4 comments

There is no reason for all http headers to be signed during Aws sigv4, and actually, some services like SES are requesting customers not to sign some headers like 'connection'

Answer 1 · 2020-10-30T23:41:57.000Z

Yeah, that's fair – when this library was created there wasn't a list of included/excluded headers. Since then there's been a little more info, like this:

https://github.com/mhart/aws4fetch/blob/b3aed16b6f17384cf36ea33bcba3c1e9f3bdfefd/src/main.js#L25-L34

Have you got documentation showing which headers need to be signed (vs just a list of which ones don't)?

Answer 2 · 2020-10-30T23:45:44.000Z

I don't, because there isn't one. In theory, customers can sign any header. In reality, some headers are blocked by AWS because they are 'internal', or just not supported by some services/components, so I would advise flexibility here

Answer 3 · 2020-10-30T23:53:59.000Z

I think I'll follow the Java client as a minimum: https://github.com/aws/aws-sdk-java-v2/blob/dc695de6ab49ad03934e1b02e7263abbd2354be0/core/auth/src/main/java/software/amazon/awssdk/auth/signer/internal/AbstractAws4Signer.java#L59

Answer 4 · 2020-10-31T00:12:17.000Z

Just released v1.11.0 that should address this – at least, it should prevent errors.

I'm not really interested in expanding the API to allow users to specify which headers they sign and which they don't.

At least, not unless I have to address certain scenarios with AWS services.