getvictor
7 months ago
I wrote up the pros and cons of mTLS vs HTTP message signatures for additional client authentication here:
mTLS vs. HTTP Message Signatures: Tradeoffs in Securing HTTP Requests
2 pointsposted 7 months ago
by getvictorItem id: 44484601
3 Comments
p_ing
7 months ago
No sane infrastructure engineer would let you do anything other than TLS in production. Devs are largely untrusted to get security correct.
getvictor
7 months ago
Yes, I'm assuming you're always running TLS. The question is whether to use mTLS (mutual TLS) vs HTTP message signatures to verify that the request is coming from a trusted client.