Required components covered

What this check verifies

The parenthesised list at the start of Signature-Input names the covered components: the parts of the request the signature commits to. For the web-bot-auth profile the architecture draft makes exactly one component mandatory, @authority, the request’s host and port. The Cloudflare reference implementation encodes the same rule in its REQUIRED_COMPONENTS lists.

signature-agent is required only when you send a Signature-Agent header. The draft puts it this way: if the header is sent, it MUST be signed as a component. So the rule is conditional. No header, no requirement; header present, the component must be covered.

This check reads the covered set from Signature-Input and confirms @authority is there. If the request also carries a Signature-Agent header, it confirms signature-agent is covered as well. A missing required component fails the check.

Signature-Input: sig1=("@authority" "signature-agent");created=...;keyid="...";tag="web-bot-auth"

Why it matters

A signature only protects what it covers. If @authority is not in the covered set, the signature says nothing about which host the request was aimed at, so a captured signature could be replayed against a different origin and still verify. Covering @authority binds the signature to the intended host.

signature-agent matters for the same reason. The header tells a verifier where to fetch your keys. If you send it but leave it uncovered, an attacker can swap the header to point at a directory they control while the signature still checks out, which defeats the point of naming the directory.

How to fix it

1. Always include @authority in the covered components.
2. If you send a Signature-Agent header, add signature-agent to the covered list too. The two go together: send the header and cover it, or send neither.

A correct minimal list with no Signature-Agent header:

Signature-Input: sig1=("@authority");created=...;keyid="...";tag="web-bot-auth"

With a Signature-Agent header:

Signature-Input: sig1=("@authority" "signature-agent");created=...;keyid="...";tag="web-bot-auth"

Whatever you cover here must match what is fed into the signature base when the request is signed; a mismatch shows up as a verification failure rather than a covered-components failure.

References

• RFC 9421 defines covered components, including the @authority derived component.
• The web-bot-auth architecture draft makes @authority mandatory and signature-agent required when the header is sent.
• How grading works explains how a missing required component affects the grade.