Currently, in HTTP auth, we use the current timestamp and the server has a hard-coded max age for signed headers.
This gives no control to the client regarding how long a signature should be valid. We could invert this control by setting an expiration date instead of a timestamp.
Currently, in HTTP auth, we use the current timestamp and the server has a hard-coded max age for signed headers.
This gives no control to the client regarding how long a signature should be valid. We could invert this control by setting an
expiration
date instead of atimestamp
.