HTTP Message Signatures are a mechanism to create, encode, and verify signatures over components of an HTTP message. They are standardised by the IETF in RFC 9421. This website validates the presence of such signature as defined in draft-meunier-web-bot-auth-architecture.
This website checks for an Ed25519 signature on incoming request. They should be signed by a test public key defined in Appendix B.1.4 of RFC 9421.
As a platform provider, I would like to ensure websites are able to identify requests originating from my service. At the moment, I share IP ranges, but this is long to deploy, cumbersome to maintain, and costly, especially with the multiplication of services, and the need to localise outgoing traffic with a forward proxy. It's even more pressing as I onboard multiple companies on my platform that need to have their own identity. And user agent headers do not have any integrity protection.
It's time for websites to know who's calling, and for platforms to prove it.
We define a key directory accessible under /.well-known/http-message-signatures-directory The directory looks as follow
{
"keys": [
{
"kid":"poqkLGiymh_W0uP6PZFw-dvez3QJT5SolqXBCW38r0U",
"kty":"OKP",
"crv":"Ed25519",
"x":"JrQLj5P_89iXES9-vFgrIy29clF9CC_oPPsw3c5D0bs",
"nbf": 1743465600000
}
],
"purpose": "rag"
}
Parameters are defined as follow:
This website expose an endpoint dropping incoming request headers on /debug
First off, this is fantastic news!
To contribute to this website, you can go to cloudflareresearch/web-bot-auth.
To contribute to the standard discussion, the current draft is hosted on thibmeu/http-message-signatures-directory, and is being discussed on web-bot-auth IETF mailing list.