From ea3979bc8acd795b22f471ddaa2ad4467d31a0ac Mon Sep 17 00:00:00 2001 From: Jesse Wierzbinski Date: Mon, 21 Apr 2025 18:32:29 +0200 Subject: [PATCH] fix: :bug: Clarify that signatures are required on GET requests too --- app/signatures/page.mdx | 1 + 1 file changed, 1 insertion(+) diff --git a/app/signatures/page.mdx b/app/signatures/page.mdx index b1359f8..d3b700d 100644 --- a/app/signatures/page.mdx +++ b/app/signatures/page.mdx @@ -23,6 +23,7 @@ A signature consists of a series of headers in an HTTP request. The following he Signatures are **required on ALL federation traffic**. If a request does not have a signature, it **MUST** be rejected. Specifically, signatures must be put on: - **All POST requests**. +- **All GET requests**. - **All responses to GET requests** (for example, when fetching a user's profile). In this case, the HTTP method used in the signature string must be `GET`. If a signature fails, is missing or is invalid, the instance **MUST** return a `401 Unauthorized` HTTP status code. If the signature timestamp is too old or too new (more than 5 minutes from the current time), the instance **MUST** return a `422 Unprocessable Entity` status code.