WebBotAuth.net

Replay and freshness

An advisory note that replay protection is operator policy, not a hard protocol requirement. It never fails.

What this check verifies

This check is always advisory. It raises a note that replay protection (a nonce, or a short validity window) is operator policy rather than a protocol requirement, and it never fails the request. A valid Web Bot Auth signature can be replayed within its validity window unless something else stops it, and the architecture draft treats freshness as a SHOULD, not a MUST.

The note appears regardless of what the signature contains. It is a reminder that verification proves who signed a request, not that the request is fresh, and that closing the replay gap is a choice the operator (signer or verifier) makes.

Why it matters

A signature commits to its covered components and its created/expires window. Within that window the same signed request can be sent again and will verify again, because nothing in the signature itself marks a request as already-seen. Whether that matters depends on what the request does. For an idempotent fetch it is usually harmless; for anything with side effects it can be a real replay risk.

There are two common ways to narrow the gap. A short validity window limits how long a captured signature stays usable. A nonce parameter, recorded and rejected on reuse by the verifier, makes each signature single-use. The draft recommends but does not mandate either, which is why the checker raises this as advice rather than scoring it.

How to fix it

There is nothing to fix for the grade; this check never fails. To reduce replay exposure as a matter of policy:

  1. Keep the validity window short, only as long as needed between signing and the request arriving. See the validity window advisory.
  2. Include a nonce and have the verifier reject any nonce it has already seen within the window.
  3. On the verifier side, decide per endpoint how much freshness you require: a read-only endpoint may accept the window alone, while an endpoint with side effects may want nonce tracking or its own idempotency keys.

References

  • RFC 9421 defines the nonce, created, and expires parameters relevant to freshness.
  • The web-bot-auth architecture draft treats replay protection as a recommendation, not a requirement.
  • Validity window covers the related window-length advisory.
  • How grading works explains why an advisory note never affects the verdict.

How the checker scores this

Tier
Signature
Role
Advisory. Failing this never caps the grade or changes the verdict.
Point deduction
A failure deducts 30 points; a warning deducts 8.

How grading works