Cryptographically signed headers are a failsafe authentication mechanism for protecting your applications when Mutual Transport Layer Security (mTLS, also known as mutual authentication) fails. Utilizing signed headers provides defense in depth to the protected application when:
Your reverse proxy or VPN is accidentally disabled
Your firewalls or network perimeters are misconfigured
The application is exposed to the internet
An internal user tries to gain unauthorized access
Signed headers take the form of JSON Web Tokens (JWT) for allowing upstream applications to verify user identification. These are included in the headers of a request.
At a minimum, a valid JWT should include the following criteria:
A cryptographic signature from a trusted source (in this case, Pomerium)
A timestamp that shows the JWT is not expired (found in the exp claim)
Issuer and audience claims that match your application’s domain
This qualifies the JWT as an additional form of authentication (for the user or client), giving the application an additional layer of security than just Transport Layer Security (TLS) protocols.
Think of the upstream app as the airplane at an airport and TLS as the security checkpoint (that long tunnel you walk through). Anyone boarding the airplane must first pass through the security checkpoint. When you get through security, you get a stamp on your boarding pass that authorizes you to board the airplane.
But, what if someone found a way to skip the security checkpoint and went straight to the airplane?
The airplane, like the upstream app, has no way of knowing that a passenger didn’t come through the secure connection — the TLS tunnel — but the airline attendants can check that the passenger has a stamp on their boarding pass.
A user’s signed JWT acts as the stamp: In the event of other network configuration mistakes, the app can still grant or deny users if they don’t have a signed JWT to verify their identity.
You should use signed headers for any application sensitive enough to justify mTLS. Signed headers can be easily added to provide an additional layer of security to applications using Pomerium.
As covered earlier, signed headers provide an additional layer of security to the protected application when network or infrastructure configurations go awry, usually due to human error.
Pomerium is the top choice for companies looking for an open-source context-aware reverse proxy to manage secure, identity-aware access to applications and services. Whether you’re spinning up a new application or trying to add access control to a legacy service, Pomerium can easily add authentication and authorization to any resource.
Our customers depend on us to secure zero trust, clientless access to their web applications everyday.
Check out our open-source Github Repository or give Pomerium a try today!
Stay up to date with Pomerium news and announcements.
Embrace Seamless Resource Access, Robust Zero Trust Integration, and Streamlined Compliance with Our App.
Company
Quicklinks
Stay Connected
Stay up to date with Pomerium news and announcements.