Give choice in signed headers #119
Comments
|
Yeah, that's fair – when this library was created there wasn't a list of included/excluded headers. Since then there's been a little more info, like this: Have you got documentation showing which headers need to be signed (vs just a list of which ones don't)? |
|
I don't, because there isn't one. In theory, customers can sign any header. In reality, some headers are blocked by AWS because they are 'internal', or just not supported by some services/components, so I would advise flexibility here |
|
I think I'll follow the Java client as a minimum: https://github.com/aws/aws-sdk-java-v2/blob/dc695de6ab49ad03934e1b02e7263abbd2354be0/core/auth/src/main/java/software/amazon/awssdk/auth/signer/internal/AbstractAws4Signer.java#L59 |
|
Just released v1.11.0 that should address this – at least, it should prevent errors. I'm not really interested in expanding the API to allow users to specify which headers they sign and which they don't. At least, not unless I have to address certain scenarios with AWS services. |
There is no reason for all http headers to be signed during Aws sigv4, and actually, some services like SES are requesting customers not to sign some headers like 'connection'
The text was updated successfully, but these errors were encountered: