Fix: #67. Forbid zero-length Signature.headers.

w3c-ccg / http-signatures

Signing HTTP Messages specification

https://w3c-dvcg.github.io/http-signatures/

Other

34 stars 9 forks source link

Closed ioggstream closed 5 years ago

ioggstream commented 5 years ago

Forbids signing a blank string.

You should sign at least one HTTP header, or the signature could be used multiple times (replay attack).

ioggstream commented 5 years ago

@msporny do you agree?

msporny commented 5 years ago

Agree, merging.