Add header allowlist

2024-06-02 13:29:34 +00:00 · 2024-01-14 18:46:02 +00:00 · 2024-01-14 18:46:02 +00:00 · 3c6820cfe3
parent 1dec02f89c
commit 3c6820cfe3
1 changed files with 12 additions and 1 deletions
--- a/core/signatures.py
+++ b/core/signatures.py
@ -69,6 +69,15 @@ class HttpSignature:
    Allows for calculation and verification of HTTP signatures
    """

+    #: Headers we should consider when producing signatures
+    HEADERS_FOR_SIGNING = {
+        "date",
+        "host",
+        "(request-target)",
+        "content-type",
+        "content-length",
+    }
+
    @classmethod
    def calculate_digest(cls, data, algorithm="sha-256") -> str:
        """
@ -211,7 +220,9 @@ class HttpSignature:

        # Sign the headers
        signing_headers = [
-            key for key in request.headers.keys() if key.lower() != "user-agent"
+            key
+            for key in request.headers.keys()
+            if key.lower() in cls.HEADERS_FOR_SIGNING
        ]
        signed_string = "\n".join(
            f"{name.lower()}: {value}"