bisakhmondal commented on issue #5784: URL: https://github.com/apache/apisix/issues/5784#issuecomment-992479686
Hi @qq54903099, After going through the codebase, I think we have the `clock_skew` field inside hmac-auth [schema](https://apisix.apache.org/docs/apisix/plugins/hmac-auth#attributes) to prevent the issue of a replay attack. How it prevents: 1. Define the current DateTime inside request `Date` header (format similar to "Thu, 13 Dec 2021 11:27:35 GMT") 2. Upon receiving the request on the APISIX side, we perform a time diff. If the current timestamp minus the header Date is greater than the `clock_skew`, it returns an HTTP 401. By configuring the clock_skew you can reduce the window of opportunity for an attacker to eavesdrop. 3. As the header `Date` is part of the hmac signature calculation, the attacker can't tamper with it. Hope it helps. I might not be entirely correct, @spacewander could you please validate. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
