If I have a complex object that is been sent as an API request (for example Order below), should I include all the properties when generating the signature or should I use just a subset?
I am asking because I am unclear and from looking at other API’s the requests parameters are flat and simple
public class Order
{
public string Id { get; set; }
public string ClientIdentifier { get; set; }
public IEnumerable<OrderItems> OrderItems { get; set; }
public long timestamp { get; set; }
public string signature { get; set; }
}
public class OrderItems
{
public string ItemId { get; set; }
public string Name { get; set; }
public IEnumerable<decimal> PriceBands { get; set; }pes
more types
}
and so on ....
You first need to understand what the signing of the message prevents to understand what data should be included in the request. Here’s a list of the 2 main things that signing the requests block attackers from being able to do.
Number 2 has a catch to it. It only helps protect the data that is part of the signature. If you leave any data out an attacker could change that data and send a different message than the message you sent. This is why when signing a request all of the request data needs to be included: The full URI including the domain, headers, querystring parameters, and any posted data such as XML or JSON.