remove TTL from is_timed_hmac_valid_v0
Hello, is it possible to disable the TTL, so WAF only used for verifying the hmac without checking expiration, thankyou
(http.host eq "mydomain.com" and not is_timed_hmac_valid_v0("mysecret", http.request.uri, 300, http.request.timestamp.sec, 8))4 Replies
I see, but I can make it for 50 years, then I update it 50 years later, correct ?
do you think is_timed_hmac_valid_v0 can receive value from header instead of http.request.uri ?
this should not be a problem, as it store second, not epoch
yeah, but It's not like defining epoch since 1970 correct?, it a second addition until expired (like 300 on the rule above)
thanks leo
I don't understand, it's should be on cloudflare to maintain it's data type, correct ?
:MeowHeartCloudflare:
nice seems working
if not valid hmac or expired, then redirect to rick astley
you can use some arbitary vaule instead of http.request.timestamp, like define request timestamp to zero and set HMAC timestamp to zero to make never expiring signature
setting expire to far far far after may be enough