Closed sleg-aws closed 4 years ago
mhart
commented
4 years ago Yeah, that's fair – when this library was created there wasn't a list of included/excluded headers. Since then there's been a little more info, like this:
https://github.com/mhart/aws4fetch/blob/b3aed16b6f17384cf36ea33bcba3c1e9f3bdfefd/src/main.js#L25-L34
Have you got documentation showing which headers need to be signed (vs just a list of which ones don't)?
sleg-aws
commented
4 years ago I don't, because there isn't one. In theory, customers can sign any header. In reality, some headers are blocked by AWS because they are 'internal', or just not supported by some services/components, so I would advise flexibility here
mhart
commented
4 years ago I think I'll follow the Java client as a minimum: https://github.com/aws/aws-sdk-java-v2/blob/dc695de6ab49ad03934e1b02e7263abbd2354be0/core/auth/src/main/java/software/amazon/awssdk/auth/signer/internal/AbstractAws4Signer.java#L59
mhart
commented
4 years ago Just released v1.11.0 that should address this – at least, it should prevent errors.
I'm not really interested in expanding the API to allow users to specify which headers they sign and which they don't.
At least, not unless I have to address certain scenarios with AWS services.
There is no reason for all http headers to be signed during Aws sigv4, and actually, some services like SES are requesting customers not to sign some headers like 'connection'