Skip to content

cloudflare/web-bot-auth

Web Bot Auth

GitHub License

This repo contains Web Bot Auth libraries and examples for signed automated HTTP traffic, as described in draft-meunier-webbotauth-httpsig-protocol.

Table of Contents

Examples

Live deployment

Cloudflare Research provides a live environment at http-message-signatures-example.research.cloudflare.com.

Use this deployment to test an implementation.

  1. It validates the presence of a Signature header signed RFC9421 ed25519 test key,
  2. It exposes a bot directory on /.well-known/http-message-signatures-directory,
  3. It serves debug tools for request signatures, JWK key IDs, and directories.

Signing

Example Description
Browser extension Adds a Signature on every outgoing request
Rust Signs a hardcoded test request

Verifying

Example Description
Cloudflare Workers Verify RFC 9421 Signature for every incoming request
Caddy Plugin Verify RFC 9421 Signature for every incoming request
Rust Verify a sample test request

HTTP Signature Directories

Example Description
Cloudflare Workers Host a registry, Signature Agent Card, and signed key directory on Cloudflare Workers

Development

This repository uses npm and cargo workspaces. There are several packages which it provides:

Package Language Description
http-message-sig TypeScript HTTP Message Signatures as defined in RFC 9421
jsonwebkey-thumbprint TypeScript JWK Thumbprint as defined in RFC 7638
web-bot-auth TypeScript HTTP Message Signatures for Bots as defined in draft-meunier-webbotauth-httpsig-protocol-00
web-bot-auth Rust HTTP Message Signatures for Bots as defined in draft-meunier-webbotauth-httpsig-protocol-00
http-signature-directory Rust Validates whether an HTTP message signature directory is correctly signed and valid

Security Considerations

This software has not been audited. Please use at your sole discretion.

License

This project is under the Apache 2.0 license.

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you shall be Apache 2.0 licensed as above, without any additional terms or conditions.

About

Sign and verify orchestrated HTTP requests

Topics

Resources

License

Code of conduct

Contributing

Security policy

Stars

Watchers

Forks

Contributors