Hrithik.Security.RequestSigning
1.0.0
There is a newer version of this package available.
See the version list below for details.
See the version list below for details.
dotnet add package Hrithik.Security.RequestSigning --version 1.0.0
NuGet\Install-Package Hrithik.Security.RequestSigning -Version 1.0.0
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.
<PackageReference Include="Hrithik.Security.RequestSigning" Version="1.0.0" />
For projects that support PackageReference, copy this XML node into the project file to reference the package.
<PackageVersion Include="Hrithik.Security.RequestSigning" Version="1.0.0" />
<PackageReference Include="Hrithik.Security.RequestSigning" />
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package.
paket add Hrithik.Security.RequestSigning --version 1.0.0
The NuGet Team does not provide support for this client. Please contact its maintainers for support.
#r "nuget: Hrithik.Security.RequestSigning, 1.0.0"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.
#:package Hrithik.Security.RequestSigning@1.0.0
#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package.
#addin nuget:?package=Hrithik.Security.RequestSigning&version=1.0.0
#tool nuget:?package=Hrithik.Security.RequestSigning&version=1.0.0
The NuGet Team does not provide support for this client. Please contact its maintainers for support.
Hrithik.Security.RequestSigning
Enterprise-grade HTTP Request Signing for .NET APIs.
Designed for Banking, Fintech, and secure external integrations.
This library ensures that only trusted clients can send valid requests and that requests cannot be tampered or forged in transit.
โ What is Request Signing?
Request signing means the client cryptographically signs the HTTP request using a shared secret.
The server:
- Rebuilds the request in a canonical form
- Re-computes the signature
- Rejects the request if the signature does not match
This prevents:
- Forged requests
- Payload tampering
- Man-in-the-middle modifications
๐งฑ What problem does this solve?
Without request signing:
- Anyone can send a new nonce + timestamp
- Replay protection alone cannot verify who sent the request
With request signing:
- Only clients with a valid secret can generate a valid request
- Any modification to method, path, query, headers, or body is detected
โ What does this library do?
- Builds a canonical representation of the HTTP request
- Verifies HMAC-SHA256 signatures
- Validates request freshness (timestamp)
- Integrates cleanly with Replay Protection
- Designed for external & partner APIs
๐ Canonical Request Format
The signature is calculated over the following fields (in order):
HTTP_METHOD PATH QUERY_STRING CLIENT_ID NONCE TIMESTAMP BODY_HASH
All fields are joined using a newline (\n).
Any change to these values will invalidate the signature.
๐ Quick Start (Server)
1๏ธโฃ Register services
services.AddRequestSigning(options =>
{
options.AllowedClockSkew = TimeSpan.FromMinutes(5);
});
Register a signing key provider:
services.AddSingleton<ISigningKeyProvider, InMemorySigningKeyProvider>();
2๏ธโฃ Add middleware
app.UseRequestSigning();
โ ๏ธ This middleware should run before ReplayProtection.
๐ฉ Required Request Headers
Every signed request must include:
X-Client-Id โ Client identifier
X-Request-Id โ Unique nonce (UUID recommended)
X-Timestamp โ Unix timestamp (UTC, seconds)
X-Signature โ Base64 HMAC-SHA256 signature
๐งช Example Client Signing (Concept)
signature = Base64(
HMACSHA256(secret, canonicalRequest)
)
The server recomputes this signature and compares it in constant time.
๐ Security Notes (IMPORTANT)
This library authenticates requests, not users
It does not replace OAuth, JWT, or mTLS
It is designed to work together with:
Authentication (JWT / OAuth / mTLS)
Replay protection
Optional JWE / JWS message security
Recommended middleware order
app.UseRequestSigning();
app.UseReplayProtection();
๐งฑ Production Usage
For production systems:
Store client secrets securely (DB / Vault / Key Management Service)
Rotate secrets periodically
Use Replay Protection to prevent duplicate execution
๐ Related Packages
Hrithik.Security.ReplayProtection
Prevents duplicate or replayed requests
MainLibProj_Hrithik
JWE / JWS message-level encryption and signing
Together, these provide banking-grade API security.
| Product | Versions Compatible and additional computed target framework versions. |
|---|---|
| .NET | net8.0 is compatible. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. net9.0 was computed. net9.0-android was computed. net9.0-browser was computed. net9.0-ios was computed. net9.0-maccatalyst was computed. net9.0-macos was computed. net9.0-tvos was computed. net9.0-windows was computed. net10.0 was computed. net10.0-android was computed. net10.0-browser was computed. net10.0-ios was computed. net10.0-maccatalyst was computed. net10.0-macos was computed. net10.0-tvos was computed. net10.0-windows was computed. |
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.
-
net8.0
- No dependencies.
NuGet packages
This package is not used by any NuGet packages.
GitHub repositories
This package is not used by any popular GitHub repositories.