Overview
In addition to HMAC signature verification, the EASYCRED API gateway enforces two additional security gates to prevent replay attacks and request tampering: Timestamp Drift and Nonce Replay protection.Timestamp Drift Gate
The gateway compares thex-timestamp header value against the server’s current UTC time. If the difference exceeds ±300 seconds (5 minutes), the request is rejected:
Valid Window
Requests with
x-timestamp within ±300 seconds of server time are accepted.Outside Window → 401
Requests older than 5 minutes or with future timestamps beyond 5 minutes are rejected.
Nonce Replay Gate
Every request must include a uniquex-nonce value. The gateway stores all nonces seen within the drift window in a distributed Redis cache.
If a request arrives with a nonce that has already been used within the window, it is immediately rejected:
Nonce Requirements
| Requirement | Details |
|---|---|
| Format | Printable ASCII characters |
| Length | 1–200 characters |
| Uniqueness | Must be unique per request |
| Recommended | UUID v4 (e.g., 94fc6cee-137c-4206-bb0a-48623bd0847c) |
Combined Protection Model
Both gates work together to provide layered security:Troubleshooting
| Error | Likely Cause | Fix |
|---|---|---|
401 Stale timestamp | Server clock drift | Sync clock with NTP |
401 Replayed request | Nonce reused across retries | Generate a fresh UUID per request attempt |
401 Bad signature | Signing string built incorrectly | Verify canonical string construction, especially the empty body "" for GET requests |