frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

Open in hackernews

mTLS vs. HTTP Message Signatures: Tradeoffs in Securing HTTP Requests

2•getvictor•10h ago
I’ve been comparing two approaches to authenticating HTTP requests: mTLS and HTTP Message Signatures (like RFC 9421).

mTLS is fast and handled by the TLS layer, but has deployment complexity (e.g. certs, termination). HTTP signatures offer more flexibility at the app layer, but require custom logic and replay protection.

Currently, I'm on the HTTP Message Signatures train since it provides more flexibility to an app developer like me, and I don't have to worry about infrastructure such as load balancers. I can decide which API endpoints need signatures and which parts of the request will be signed.

Curious what others are using in production. How are you securing requests between services or devices? Any lessons from trying both?

Comments

p_ing•9h ago
No sane infrastructure engineer would let you do anything other than TLS in production. Devs are largely untrusted to get security correct.
getvictor•8h ago
Yes, I'm assuming you're always running TLS. The question is whether to use mTLS (mutual TLS) vs HTTP message signatures to verify that the request is coming from a trusted client.

Ask HN: How did Soham Parekh get so many jobs?

279•jshchnz•4d ago•386 comments

Ask HN: How is the tech scene in LA?

7•asdev•8h ago•0 comments

Ask HN: Has AWS ever surprised you with a bill?

4•noway_bro•7h ago•2 comments

Ask HN: How do I buy a typewriter?

5•indus•10h ago•12 comments

mTLS vs. HTTP Message Signatures: Tradeoffs in Securing HTTP Requests

2•getvictor•10h ago•2 comments

Ask HN: Advice for Starting a Hacker Space?

28•pkdpic•1d ago•31 comments

Ask HN: Worth leaving position over push to adopt vibe coding?

69•NotAnOtter•2d ago•87 comments

Ask HN: How to generate product docs E2E?

2•sarabande•13h ago•1 comments

Ask HN: What Are You Working On? (June 2025)

438•david927•1w ago•1379 comments

ARZY-G: A token born from AI-validated usefulness (not mined, not bought)

3•arzykul•15h ago•0 comments

Ask HN: Freelancer? Seeking freelancer? (July 2025)

84•whoishiring•5d ago•203 comments

Ask HN: Who is hiring? (July 2025)

268•whoishiring•5d ago•383 comments

Ask HN: What old or outdated software have you never found a replacement for?

25•prisenco•21h ago•46 comments

CellularLab – A Modern Android iPerf3 App with TCP/UDP Testing and AI Analysis

2•abhi5h3k•19h ago•0 comments

Ask HN: How many communities HN it devs in C language?

7•FerkiHN•1d ago•11 comments

Ask HN: Who wants to be hired? (July 2025)

128•whoishiring•5d ago•366 comments

Proposal: GUI-first, text-based mechanical CAD inspired by software engineering

3•thinkmachyx•1d ago•4 comments

Ask HN: What's the 2025 stack for a self-hosted photo library with local AI?

224•jamesxv7•6d ago•120 comments

Why did not numpy copy the J rank concept?

14•jrank•1d ago•6 comments

Tell HN: A fake, highly obfuscated Solidity VSCode plugin found on marketplace

14•navad•1d ago•1 comments

Looking for Early Testers for a AI Assistant Inside Zotero

10•jie6•2d ago•1 comments

Ask HN: Is there a business for extracting US tech talent?

27•Arubis•3d ago•37 comments

Super Simple "Hallucination Traps" to detect interview cheaters

29•EliotHerbst•4d ago•37 comments

Ask HN: What clever tools/scripts do you use to manage development environments?

9•sebst•1d ago•13 comments

1KB JavaScript Demoscene Challenge Just Launched

115•babakode•5d ago•31 comments

Ask HN: How do you sell to B2B in current state of AI?

4•salesdo•1d ago•6 comments

Go-msquic: v0.11 is out

2•noboruma•17h ago•0 comments

If Emacs is not a text editor, then what is it really?

4•hushangazar•2d ago•2 comments

Ask HN: Are there any good WASM-based sites for learning Bash, Linux and CLI?

8•brightbeige•2d ago•2 comments

Ask HN: What are the best resources to help with health insurance denials?

10•cigna•3d ago•11 comments