Convoy-Timestamp. This timestamp is also included in the signature header and is signed together with the request body using the endpoint secret. Therefore, an attacker cannot change the timestamp without invalidating the signature.
Take the following steps to verify your signature and prevent replay attacks:
- Extract the timestamp and the signed signature header from the request header, and extract the request body.
- Prepare a string by concatenating the timestamp followed by a
,and the request body. - Generate a signature of the concatenated string using the endpoint secret and your hashing algorithm (e.g.
SHA256). - Compare the newly generated signature with the value in the signature header. If the signatures match, check the time interval between the timestamp and the current time. In your system, set a tolerance on this interval to prevent replay attacks.