WebBotAuth.net

Signature-Input parses

The request must carry both a Signature and a Signature-Input header, and both must parse as RFC 9421 structured fields.

What this check verifies

HTTP Message Signatures split a signed request across two headers. Signature-Input lists the covered components and the signature parameters; Signature carries the signature bytes. Both are RFC 9421 structured fields keyed by a label (commonly sig1):

Signature-Input: sig1=("@authority" "signature-agent");created=1717603200;expires=1717606800;keyid="poqkLGiymh_W0uP6PZFw-dvez3QJT5SolqXBCW38r0";tag="web-bot-auth"
Signature: sig1=:K4cDjQ...base64...==:

This check confirms both headers are present and that each parses. Signature-Input must have a parenthesised inner list of covered components followed by ;name=value parameters. Signature must hold the signature as a byte-sequence item between colons. If either header is missing, or either fails to parse, the check fails and the remaining signature checks cannot run.

Why it matters

Everything else in the signature tier reads from these two headers: the covered components, the timestamps, keyid, the tag, and the signature bytes themselves. If they are missing or malformed, there is nothing to verify. The checker reports this as the entry point to signature validation, and a failure here stops the rest of the signature checks because they have no input to work with.

A common cause is a hand-built header that drops the sig1= label, omits the parentheses around the component list, or forgets the colons that delimit the signature byte sequence.

How to fix it

  1. Send both headers. A Signature with no Signature-Input, or the reverse, is not a usable signature.
  2. Use the same label on both. If Signature-Input is keyed sig1=, the Signature header must use sig1= too.
  3. Keep the structured-field shape: a parenthesised component list and ;-separated parameters in Signature-Input, and a :base64: byte sequence in Signature.

Build these with a library that emits RFC 9421 fields rather than concatenating strings by hand. The Cloudflare web-bot-auth reference implementation produces both headers in the correct shape.

References

  • RFC 9421 defines the Signature and Signature-Input headers and their grammar.
  • RFC 8941 defines the structured-field types those headers use.
  • How grading works explains how a parse failure stops the signature checks.

How the checker scores this

Tier
Signature
Role
Authoritative. Failing this can lower the grade ceiling or change the verdict.
Verdict effect
Failing makes the verdict NOT FOUND.
Point deduction
A failure deducts 30 points; a warning deducts 8.

How grading works