Feature Request: Check for nonce?

[JeffKandel]

I would like to be able to include a nonce in the canonical string for added security. Would you be in favor of adding this feature?

If not, do you have any suggestions for a workaround? In my use case, I think I could put a nonce in the request body and Content-MD5. Is this reasonable?

[mgomes]

Hi @JeffKandel, I don't see how adding a nonce would provide added security. Could you elaborate?

HMAC authentication is already protected against replay attacks by having things like the timestamp be part of the canonical string. We also by default reject requests older than 15 minutes for additional security.

[JeffKandel]

The use of a nonce doesn't add a new layer of defense, but it doesn't fortify the system again replay attacks. The option is a nice-to-have in my case, but I could imagine some projects with stricter requirements to use a nonce. If you agree, we could chat about implementation and I'd be happy to try it out.