Timestamp Request Validation
Timestamp request validation is mainly used to prevent replay attacks. The principle is to include a timestamp (usually in milliseconds) in each request, and the backend checks whether the timestamp falls within an allowed time window. This is often used together with a signature mechanism to ensure the timeliness and uniqueness of the request, but it can also be used standalone.
Usage scenarios: When resetting a password, the URL sent should include this encrypted timestamp as a parameter; for APIs with high confidentiality, and for server-to-server calls (not browser calls, because if the key is stored in the browser, it is not secure).
Common Validation Logic
- The client includes the timestamp (e.g., parameter
timestamp=xxx) ciphertext in the request. This timestamp ciphertext is generated by a secret key and stored by either the server or client (be careful not to leak it). - The backend checks whether the difference between the current server time and the request timestamp is within a reasonable range (e.g., ±5 minutes).
- If the request is expired, it is rejected.
Replay attack: Timestamp validation alone cannot prevent the same request from being submitted multiple times. You need
to use a unique nonce along with it and, for interfaces with business idempotency requirements, also check whether
the nonce has already been used.
Usage
YAML Configuration
Currently, AES symmetric encryption is used. Add your AES secret key.
security:
TimeSignature: # Timestamp control
enabled: true
secretKey: der3@x7Az#2 # Secret key, required
Interceptor Validation
Add the @TimeSignatureVerify annotation to the interface in use:
@GetMapping("/TimeSignatureVerify")
@TimeSignatureVerify
int TimeSignatureVerify();
Generate Timestamp Token
Distribute the token as a parameter in your business code.
// Static method call
String token = SecurityInterceptor.getBean(TimeSignature.class).generateSignature();
Roadmap
More complex encryption rules, separate configuration for each annotation