Research
Security News
The Growing Risk of Malicious Browser Extensions
Socket researchers uncover how browser extensions in trusted stores are used to hijack sessions, redirect traffic, and manipulate user behavior.
By Kush Pandya - Jun 13, 2025
🚀 Big News: Socket Acquires Coana to Bring Reachability Analysis to Every Appsec Team.Learn more →
github.com/yukimochi/httpsig
- Version published
- Created
httpsig
go get github.com/yukimochi/httpsig
Implementation of HTTP Signatures.
Supports many different combinations of MAC, HMAC signing of hash, or RSA signing of hash schemes. Its goals are:
- Have a very simple interface for signing and validating
- Support a variety of signing algorithms and combinations
- Support setting either headers (
AuthorizationorSignature) - Remaining flexible with headers included in the signing string
- Support both HTTP requests and responses
- Explicitly not support known-cryptographically weak algorithms
How to use
import "github.com/yukimochi/httpsig"
Signing
Signing a request or response requires creating a new Signer and using it:
func sign(privateKey crypto.PrivateKey, pubKeyId string, r *http.Request) error {
prefs := []httpsig.Algorithm{httpsig.RSA_SHA512, httpsig.RSA_SHA256}
// The "Date" and "Digest" headers must already be set on r, as well as r.URL.
headersToSign := []string{httpsig.RequestTarget, "date", "digest"}
signer, chosenAlgo, err := httpsig.NewSigner(prefs, headersToSign, httpsig.Signature)
if err != nil {
return err
}
// If r were a http.ResponseWriter, call SignResponse instead.
return signer.SignRequest(privateKey, pubKeyId, r)
}
Signers are not safe for concurrent use by goroutines, so be sure to guard
access:
type server struct {
signer httpsig.Signer
mu *sync.Mutex
}
func (s *server) handlerFunc(w http.ResponseWriter, r *http.Request) {
privateKey := ...
pubKeyId := ...
// Set headers and such on w
s.mu.Lock()
defer s.mu.Unlock()
err := s.signer.SignResponse(privateKey, pubKeyId, w)
if err != nil {
...
}
...
}
The pubKeyId will be used at verification time.
Verifying
Verifying requires an application to use the pubKeyId to both retrieve the key
needed for verification as well as determine the algorithm to use. Use a
Verifier:
func verify(r *http.Request) error {
verifier, err := httpsig.NewVerifier(r)
if err != nil {
return err
}
pubKeyId := verifier.KeyId()
var algo httpsig.Algorithm = ...
var pubKey crypto.PublicKey = ...
return verifier.Verify(pubKey, algo)
}
Verifiers are not safe for concurrent use by goroutines, but since they are
constructed on a per-request or per-response basis it should not be a common
restriction.
FAQs
Unknown package
Package last updated on 07 Apr 2019
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Research
Security News
2025 Blockchain and Cryptocurrency Threat Report: Malware in the Open Source Supply Chain
An in-depth analysis of credential stealers, crypto drainers, cryptojackers, and clipboard hijackers abusing open source package registries to compromise Web3 development environments.
By Kirill Boychenko - Jun 12, 2025
Security News
pnpm 10.12 Introduces Global Virtual Store and Expanded Version Catalogs
pnpm 10.12.1 introduces a global virtual store for faster installs and new options for managing dependencies with version catalogs.
By Sarah Gooding - Jun 11, 2025