Date header forbidden


#1

I’ve set-up tyk to use HMAC authorisation on our API’s. This works fine for requests made backend to backend and with Postman. However when making requests from client web applications we run into the problem that we cannot set the Date field. It is a forbidden field that cannot be altered and is controlled by the browser. Tyk however requires the header field to be present.

When preparing the request it is not yet available so I cannot use it to calculate the signature.

How can this be solved. Can we use a different header to send the Date?


#2

Hi,

Yes you can, we introduced a customised date header to handle .Net 2.x based clients which are also not able to set the date header. Instead of date you can set X-aux-date and it should work.

Though doing this in a JS app that can be manipulated in the browser isn’t recommended.


#3

Hi,

Using x-aux-date does not work unfortunately. The response is that the signature is invalid. Using the Date header does work. I’m using Postman for this test. Changing X-aux-date to Date does work in Postman.

We have a single page application written in Javascript that needs to be able to work with our API. SPA’s aren’t uncommon. I’m open to a better solution to prevent unauthorised access to the API including preventing replay attacks.


#4

Hi,

Here is the test that handles this scenario:

https://github.com/TykTechnologies/tyk/blob/master/middleware_hmac_test.go#L127

We’ve also had users with this issue get around the problem with using this header (aux date headers were required for old versions of .Net), the code that gets the header, prefers it to the Date header:

https://github.com/TykTechnologies/tyk/blob/master/middleware_hmac.go#L248

Have you modified your signature string to include the x-aux-date as part of it (signatureString := strings.ToLower("x-aux-date") + ": " + tim)? Maybe looking at the test will help.

M.