Signature verification : Digest should be calculated upfront using the body

[Milkhaa]

At the time of verification, we use the value of digest header(if required) for verifying signature. This opens a gate to the attackers. Suppose someone was able to tamper with the request/response body without touching any of the headers, signature verification will still be OK because we are using the digest header sent for the verification purpose.

To prevent such attack , we should
Either, i) recalculate the 'digest' to be used in signature verification. Or, ii)Compare the[ 'digest' header value] with the [re-calculated 'digest' from body] , if the signature calculation method for verification remains as is.