We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
In the User Manual, the sample code for verifying the Mailgun authentication signature uses ==.
==
E.g. e306a37#diff-229131ed0af7cf80ed3a9470ec7beb4cR701
But == comparisons are vulnerable to timing attacks. Is it worth mentioning to use a constant time comparison?
In Ruby, there's a secure_compare method provided by Rack and Rails.
secure_compare
# Rack Rack::Utils.secure_compare(a, b) # Rails ActiveSupport::SecurityUtils.secure_compare(a, b)
In Python, there's a compare_digest function in the standard library.
compare_digest
import hmac hmac.compare_digest(a, b)
Both languages also have 3rd party libraries if the reader doesn't want to use any of the above methods.
The text was updated successfully, but these errors were encountered:
Hi, I'm working on a collection of these in #217 :)
Sorry, something went wrong.
Do we have anything in Java to compare the digest?
@cogr4q : MessageDigest.isEqual
No branches or pull requests
In the User Manual, the sample code for verifying the Mailgun authentication signature uses
==
.E.g. e306a37#diff-229131ed0af7cf80ed3a9470ec7beb4cR701
But
==
comparisons are vulnerable to timing attacks.Is it worth mentioning to use a constant time comparison?
In Ruby, there's a
secure_compare
method provided by Rack and Rails.In Python, there's a
compare_digest
function in the standard library.Both languages also have 3rd party libraries if the reader doesn't want to use any of the above methods.
The text was updated successfully, but these errors were encountered: