remove TTL from is_timed_hmac_valid_v0

Hello, is it possible to disable the TTL, so WAF only used for verifying the hmac without checking expiration, thankyou

(http.host eq "mydomain.com" and not is_timed_hmac_valid_v0("mysecret", http.request.uri, 300, http.request.timestamp.sec, 8))

(http.host eq "mydomain.com" and not is_timed_hmac_valid_v0("mysecret", http.request.uri, 300, http.request.timestamp.sec, 8))

(http.host eq "mydomain.com" and not is_timed_hmac_valid_v0("mysecret", http.request.uri, 300, http.request.timestamp.sec, 8))

(http.host eq "mydomain.com" and not is_timed_hmac_valid_v0("mysecret", http.request.uri, 300, http.request.timestamp.sec, 8))

Original message was deleted

RubiOP•2/18/24, 6:51 PM

I see, but I can make it for 50 years, then I update it 50 years later, correct ?

Original message was deleted

RubiOP•2/18/24, 6:52 PM

do you think is_timed_hmac_valid_v0 can receive value from header instead of http.request.uri ?

Original message was deleted

RubiOP•2/18/24, 6:52 PM

this should not be a problem, as it store second, not epoch

RubiOP•2/18/24, 6:53 PM

yeah, but It's not like defining epoch since 1970 correct?, it a second addition until expired (like 300 on the rule above)

RubiOP•2/18/24, 6:54 PM

thanks leo

RubiOP•2/18/24, 6:55 PM

I don't understand, it's should be on cloudflare to maintain it's data type, correct ?

RubiOP•2/18/24, 6:55 PM

:MeowHeartCloudflare:

Original message was deleted

RubiOP•2/18/24, 7:32 PM

nice seems working

RubiOP•2/18/24, 7:32 PM

if not valid hmac or expired, then redirect to rick astley

delta•2/18/24, 8:49 PM

you can use some arbitary vaule instead of http.request.timestamp, like define request timestamp to zero and set HMAC timestamp to zero to make never expiring signature

setting expire to far far far after may be enough

remove TTL from is_timed_hmac_valid_v0

Similar Threads

Similar Threads

Similar Threads