shreemaan-abhishek opened a new pull request, #13388: URL: https://github.com/apache/apisix/pull/13388
### Description This PR defaults the `hmac-auth` plugin's `signed_headers` to `["date"]`. Previously, `signed_headers` had no default. When a route operator did not configure it, the plugin's `generate_signature` reduced the signing string to just `keyId`. The `Date` header was therefore not bound into the HMAC, even though `clock_skew` is enabled by default and the documentation describes it as protection against stale requests. Defaulting `signed_headers` to `["date"]` ensures the request's `Date` value is always part of the signing string unless the operator explicitly opts out. Documentation in `docs/en/latest/plugins/hmac-auth.md` and `docs/zh/latest/plugins/hmac-auth.md` has been updated to reflect the new default and to clarify how `clock_skew` and `signed_headers` interact. #### Which issue(s) this PR fixes: Fixes # N/A ### Breaking change Clients whose `Authorization: Signature ...` value does not currently list `date` in its `headers="..."` clause will start receiving `401` responses from routes whose `hmac-auth` plugin does not explicitly override `signed_headers`. The documented Python example in `docs/en/latest/plugins/hmac-auth.md` already binds `date`, so clients following the docs are unaffected. Operators who need the prior behavior can set `signed_headers: []` explicitly. ### Checklist - [x] I have explained the need for this PR and the problem it solves - [x] I have explained the changes or the new features added to this PR - [x] I have added tests corresponding to this change - [x] I have updated the documentation to reflect this change - [ ] I have verified that this change is backward compatible (If not, please discuss on the APISIX mailing list first) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
