#http #ietf #sig


Implementation of the IETF draft 'Signing HTTP Messages'

7 unstable releases

0.4.1 Jan 12, 2022
0.4.0 Aug 19, 2021
0.3.1 Apr 23, 2020
0.2.1 Mar 4, 2020
0.1.0 Feb 4, 2020

#372 in Cryptography

Download history 55/week @ 2022-08-13 56/week @ 2022-08-20 49/week @ 2022-08-27 107/week @ 2022-09-03 137/week @ 2022-09-10 127/week @ 2022-09-17 12/week @ 2022-09-24 74/week @ 2022-10-01 49/week @ 2022-10-08 50/week @ 2022-10-15 100/week @ 2022-10-22 76/week @ 2022-10-29 51/week @ 2022-11-05 108/week @ 2022-11-12 88/week @ 2022-11-19 66/week @ 2022-11-26

348 downloads per month


1.5K SLoC


Implementation of the IETF draft 'Signing HTTP Messages'.

This crate is maintained by the developers at PassFort Limited.




This crate is intended to be used with multiple different HTTP clients and/or servers. As such, client/server-specific implementations are gated by correspondingly named features.

Supported crates:

Crate / Feature name Client/Server Notes
reqwest Client Supports blocking and non-blocking requests.1
rouille Server
  1. Due to limitations of the reqwest API, digests cannot be calculated automatically for non-blocking, streaming requests. For these requests, the user must add the digest manually before signing the request, or else the Digest header will not be included in the signature. Automatic digests for streaming requests are supported via the blocking API.

Supported signature algorithms:

Algorithm registry: https://tools.ietf.org/id/draft-cavage-http-signatures-12.html#hsa-registry

  • hmac-sha256
  • hmac-sha512
  • rsa-sha256
  • rsa-sha512

Supported digest algorithms:

Digest registry: https://www.iana.org/assignments/http-dig-alg/http-dig-alg.xhtml

  • SHA-256
  • SHA-512


Licensed under either of


Thanks for your interest in http-sig.

The best way to contribute is to open issues for bugs or missing features. Bug reports should contain as much information as possible and contain steps to reproduce. We are particularly interested in any bugs which may impact security.

Pull requests are also accepted. However, this crate is maintained primarily for internal use at PassFort Limited, and pull requests which do not align with our current priorities may not be reviewed promptly. To avoid wasted effort on large features, we strongly recommend opening an issue first to discuss the potential changes.

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.


~328K SLoC