Security News
Oracle Drags Its Feet in the JavaScript Trademark Dispute
Oracle seeks to dismiss fraud claims in the JavaScript trademark dispute, delaying the case and avoiding questions about its right to the name.
By Sarah Gooding - Feb 07, 2025
New Case Study:See how Anthropic automated 95% of dependency reviews with Socket.Learn More →
http-signature
Advanced tools
What is http-signature?
The http-signature npm package is used to create and verify HTTP request signatures. It is based on the Joyent HTTP Signature Scheme and allows for signing HTTP messages for authentication and message integrity. This package is commonly used in APIs and web services to ensure that HTTP requests are made by authenticated users and have not been tampered with in transit.
What are http-signature's main functionalities?
Signing HTTP Requests
This feature allows you to sign an HTTP request using a private key. The resulting signature is added to the request's headers, which can then be verified by the server to authenticate the request.
const httpSignature = require('http-signature');
const fs = require('fs');
const privateKey = fs.readFileSync('private.pem', 'ascii');
const requestOptions = {
method: 'GET',
path: '/foo',
headers: {}
};
httpSignature.sign(requestOptions, {
key: privateKey,
keyId: 'myKeyId'
});
console.log(requestOptions.headers);Verifying HTTP Requests
This feature allows you to verify the signature of an incoming HTTP request using a public key. If the signature is valid, it means the request was signed by the holder of the corresponding private key and has not been altered.
const httpSignature = require('http-signature');
const fs = require('fs');
const publicKey = fs.readFileSync('public.pem', 'ascii');
const request = {
method: 'GET',
url: '/foo',
headers: {
// headers should include the 'authorization' header with the signature
}
};
const isValid = httpSignature.verifySignature(request, publicKey);
console.log(isValid);Other packages similar to http-signature
jsonwebtoken
jsonwebtoken (or JWT) is a package that allows you to encode and decode JSON Web Tokens, which are a compact, URL-safe means of representing claims to be transferred between two parties. JWTs can also be signed like http-signature but are typically used for authorization tokens and information exchange, rather than signing HTTP requests.
oauth-1.0a
oauth-1.0a is a package that implements OAuth 1.0a, which is a protocol for authorization. It allows users to approve application to act on their behalf without sharing their password. It includes signing HTTP requests but is part of a broader authorization framework, unlike http-signature which focuses solely on signing and verifying HTTP messages.
passport-http
passport-http is a strategy for Passport, an authentication middleware for Node.js. It implements HTTP Basic and Digest authentication for Node.js applications but does not provide the same message signing capabilities as http-signature. Instead, it focuses on validating user credentials provided through HTTP headers.
node-http-signature
node-http-signature is a node.js library that has client and server components for Joyent's HTTP Signature Scheme.
Usage
Note the example below signs a request with the same key/cert used to start an HTTP server. This is almost certainly not what you actually want, but is just used to illustrate the API calls; you will need to provide your own key management in addition to this library.
Client
var fs = require('fs');
var https = require('https');
var httpSignature = require('http-signature');
var key = fs.readFileSync('./key.pem', 'ascii');
var options = {
host: 'localhost',
port: 8443,
path: '/',
method: 'GET',
headers: {}
};
// Adds a 'Date' header in, signs it, and adds the
// 'Authorization' header in.
var req = https.request(options, function(res) {
console.log(res.statusCode);
});
httpSignature.sign(req, {
key: key,
keyId: './cert.pem',
keyPassphrase: 'secret' // (optional)
});
req.end();
Server
var fs = require('fs');
var https = require('https');
var httpSignature = require('http-signature');
var options = {
key: fs.readFileSync('./key.pem'),
cert: fs.readFileSync('./cert.pem')
};
https.createServer(options, function (req, res) {
var rc = 200;
var parsed = httpSignature.parseRequest(req);
var pub = fs.readFileSync(parsed.keyId, 'ascii');
if (!httpSignature.verifySignature(parsed, pub))
rc = 401;
res.writeHead(rc);
res.end();
}).listen(8443);
Installation
npm install http-signature
License
MIT.
Bugs
1.4.0
- Update sshpk for ed25519 support
FAQs
Reference implementation of Joyent's HTTP Signature scheme.
The npm package http-signature receives a total of 6,903,864 weekly downloads. As such, http-signature popularity was classified as popular.
We found that http-signature demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 8 open source maintainers collaborating on the project.
Package last updated on 15 Nov 2023
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
Linux Foundation Warns Open Source Developers: Compliance with Sanctions Is Not Optional
The Linux Foundation is warning open source developers that compliance with global sanctions is mandatory, highlighting legal risks and restrictions on contributions.
By Sarah Gooding - Feb 06, 2025
Security News
Maven Central Adds Sigstore Signature Validation
Maven Central now validates Sigstore signatures, making it easier for developers to verify the provenance of Java packages.
By Sarah Gooding - Feb 06, 2025