A feature is available Session Signatures.
The functionality is designed to securely store the current user’s session creds in web and client applications, significantly increasing application security and protecting against two key problems:
- Theft of user session authorization data
- Cross-Site Request Forgery
For the Session Signatures functionality to work, it is enough to generate a session key pair before authorization in the client and transfer the public key to the server during authorization. If authorization is successful, then in each subsequent request the server will check the cryptographic signature in the x-auth-sign header.
Highlights:
- There is a built-in mechanism for checking time stamps in signatures - it does not allow requests to be executed after the allowable interval has expired
- The session key on clients is generated as non-exportable
- It is possible to enable hashing of the request body
- Most cryptographic operations complete in less than 1ms
Limitations:
- Request body hashing does not work with multipart-form data