Signature Header Authentication

This behavior provides header-based verification of outgoing origin requests.

How it works

Edge servers encrypt request data in a pre-defined header, which the origin uses to verify that the edge server processed the request. You can use this behavior to configure the request data, header names, encryption algorithm, and shared secret to use for verification.

Features and options


What it does



Enables or disables the behavior.

Clear Data Header Name

Specifies the name of the header containing the request data that needs to be encrypted.

Encrypted Data Header Name

Specifies the name of the header containing encrypted request data.

Encryption Algorithm Version

Specifies the version of the encryption algorithm that you want to use to encrypt the data.

  • MD5(key, data, sign-string)
  • MD5(key,MD5(key, data, sign-string))
  • MD5-HMAC(key, data, url)
  • SHA1-HMAC(key, data, sign-string)
  • SHA256-HMAC(key, data, sign-string)

Signed String Type

Specifies whether the encrypted string is based on the forwarded URL or a custom set of data. By default, the encrypted string is based on the forwarded URL.


  • Default (Forwarded URL)
  • Custom


With Signed String Type set to Custom, specifies the set of data to be encrypted as a combination of concatenated strings.

  • Incoming Request Method
  • Incoming Request (http or https)
  • Incoming Request Hostname
  • Incoming Request Domain
  • Incoming Request URL
  • Incoming Request Path
  • Incoming Request Query String
  • Incoming Request Filename
  • Incoming Request Filename Extension
  • Incoming Request Client IP

Secret Key

Specifies the shared secret key.


Specifies the cryptographic nonce string.

Note: The value of the nonce cannot be the same as the value of the shared secret key.

Did this page help you?