Hello,
I have been searching for a way to check the authenticity of the request and to prevent replay attacks.
i have landed on a solution to sign the request using salted SHA-256 and get a HMAC for each API request based on encrypted_time_stamp+URI+Params+Payload, send the signature in a header, then APIGEE will regenerate the HMAC and match it with the one sent in the header.
while the above solution will confirm the authenticity, we still need to address the replay attack.
Since there is nothing preventing the same exact request to be sent again.
we thought we can persist our HMACs and make sure they are not being used before.
My ask:
- Can you please evaluate the solution E2E?
- if we are going to persist the HMACs, where is best to store them, knowing that we are expecting 10-15 Million request per day. and for how long they should be persisted?
Regards,