{"id":18431,"library":"http-message-sig","title":"http-message-sig","description":"HTTP Message Signatures implementation conforming to RFC 9421, currently at version 0.2.0 (pre-1.0). Provides synchronous and asynchronous signing and verification of HTTP messages. Forked from ltonetwork/http-message-signatures to address incomplete RFC compliance. Ships TypeScript types. Not audited for security; use with caution.","status":"active","version":"0.2.0","language":"javascript","source_language":"en","source_url":"https://github.com/cloudflareresearch/web-bot-auth","tags":["javascript","http-message-sig","rfc9421","cryptography","http-message-signatures","typescript"],"install":[{"cmd":"npm install http-message-sig","lang":"bash","label":"npm"},{"cmd":"yarn add http-message-sig","lang":"bash","label":"yarn"},{"cmd":"pnpm add http-message-sig","lang":"bash","label":"pnpm"}],"dependencies":[],"imports":[{"note":"ESM only; named export. No default export.","wrong":"import sign from 'http-message-sig'","symbol":"sign","correct":"import { sign } from 'http-message-sig'"},{"note":"ESM-only package; CommonJS require() will not work.","wrong":"const { verify } = require('http-message-sig')","symbol":"verify","correct":"import { verify } from 'http-message-sig'"},{"note":"TypeScript users: import types with `import type` to avoid runtime overhead.","wrong":"import { SignOptions } from 'http-message-sig'","symbol":"SignOptions","correct":"import type { SignOptions } from 'http-message-sig'"}],"quickstart":{"code":"import { sign, verify } from 'http-message-sig';\n\nconst key = await crypto.subtle.generateKey(\n  { name: 'HMAC', hash: 'SHA-256' },\n  true,\n  ['sign', 'verify']\n);\n\nconst message = {\n  method: 'POST',\n  url: '/api/data',\n  headers: { 'content-type': 'application/json' },\n  body: JSON.stringify({ foo: 'bar' })\n};\n\nconst signature = await sign(message, {\n  key: key,\n  keyId: 'my-key',\n  algorithm: 'hmac-sha256',\n  created: Math.floor(Date.now() / 1000),\n  expires: Math.floor(Date.now() / 1000) + 3600\n});\n\nconsole.log(signature);\n\nconst isValid = await verify(message, signature, {\n  key: key,\n  algorithm: 'hmac-sha256'\n});\n\nconsole.log('Signature valid:', isValid);","lang":"typescript","description":"Demonstrates signing and verifying an HTTP message with HMAC-SHA256 using async operations."},"warnings":[{"fix":"Pin to exact version and test upgrades thoroughly.","message":"Package is pre-1.0 (version 0.2.0); API may change without major version bump.","severity":"breaking","affected_versions":">=0.1.0"},{"fix":"Use dynamic import() in CJS or switch to ESM.","message":"ESM-only package; cannot be used with CommonJS require().","severity":"gotcha","affected_versions":">=0.1.0"},{"fix":"Review RFC 9421 requirements and verify behavior matches your use case.","message":"Forked from ltonetwork/http-message-signatures; not fully compliant with RFC 9421 yet.","severity":"gotcha","affected_versions":"0.2.0"},{"fix":"Use only in non-critical environments or perform a security audit before production use.","message":"Package has not been audited for security.","severity":"deprecated","affected_versions":">=0.1.0"}],"env_vars":null,"last_verified":"2026-04-25T00:00:00.000Z","next_check":"2026-07-24T00:00:00.000Z","problems":[{"fix":"Set 'moduleResolution' to 'node16' or 'bundler' in tsconfig.json.","cause":"TypeScript may not resolve types for ESM packages if moduleResolution is not set to 'node16' or 'bundler'.","error":"Cannot find module 'http-message-sig' or its corresponding type declarations."},{"fix":"Use import() syntax or switch to ES modules.","cause":"Trying to use require() on an ESM-only package.","error":"ERR_REQUIRE_ESM: require() of ES Module http-message-sig from not supported."},{"fix":"Run in a secure context or use Node.js 15+. For Node.js 14 and below, use a polyfill.","cause":"crypto.subtle is only available in secure contexts (HTTPS/localhost) and Node.js 15+.","error":"TypeError: crypto.subtle.generateKey is not a function"}],"ecosystem":"npm","meta_description":null,"install_score":null,"install_tag":null,"quickstart_score":null,"quickstart_tag":null}