Signed Headers: A Safety Net for Application Security

September 7, 2023

Cryptographically signed headers are a failsafe authentication mechanism for protecting your applications when Mutual Transport Layer Security (mTLS, also known as mutual authentication) fails. Utilizing signed headers provides defense in depth to the protected application when:

  • Your reverse proxy or VPN is accidentally disabled

  • Your firewalls or network perimeters are misconfigured

  • The application is exposed to the internet

  • An internal user tries to gain unauthorized access

What are signed headers?

Signed headers take the form of JSON Web Tokens (JWT) for allowing upstream applications to verify user identification. These are included in the headers of a request.

At a minimum, a valid JWT should include the following criteria:

  • A cryptographic signature from a trusted source (in this case, Pomerium)

  • A timestamp that shows the JWT is not expired (found in the exp claim)

  • Issuer and audience claims that match your application’s domain

This qualifies the JWT as an additional form of authentication (for the user or client), giving the application an additional layer of security than just Transport Layer Security (TLS) protocols.

How JWT authentication works with Pomerium

Think of the upstream app as the airplane at an airport and TLS as the security checkpoint (that long tunnel you walk through). Anyone boarding the airplane must first pass through the security checkpoint. When you get through security, you get a stamp on your boarding pass that authorizes you to board the airplane.

But, what if someone found a way to skip the security checkpoint and went straight to the airplane?

The airplane, like the upstream app, has no way of knowing that a passenger didn’t come through the secure connection — the TLS tunnel — but the airline attendants can check that the passenger has a stamp on their boarding pass.

A user’s signed JWT acts as the stamp: In the event of other network configuration mistakes, the app can still grant or deny users if they don’t have a signed JWT to verify their identity.

When to use signed headers?

You should use signed headers for any application sensitive enough to justify mTLS. Signed headers can be easily added to provide an additional layer of security to applications using Pomerium.

As covered earlier, signed headers provide an additional layer of security to the protected application when network or infrastructure configurations go awry, usually due to human error.

Protecting All Your Applications with Pomerium

Pomerium is the top choice for companies looking for an open-source context-aware reverse proxy to manage secure, identity-aware access to applications and services. Whether you’re spinning up a new application or trying to add access control to a legacy service, Pomerium can easily add authentication and authorization to any resource.

Our customers depend on us to secure zero trust, clientless access to their web applications everyday.

Check out our open-source Github Repository or give Pomerium a try today!

Share:

Stay Connected

Stay up to date with Pomerium news and announcements.

More Blog Posts

See All Blog Posts
Blog
Identity Aware Proxy (IAP): Meaning, Pricing, Solutions
Blog
The Great VPN Myth: What PCI DSS 4.0 Actually Requires for Remote Access
Blog
Zscaler vs. Tailscale vs. Pomerium: Detailed Comparison

Revolutionize
Your Security

Embrace Seamless Resource Access, Robust Zero Trust Integration, and Streamlined Compliance with Our App.

Pomerium logo
© 2024 Pomerium. All rights reserved