mTLS vs. HTTP Message Signatures: Tradeoffs in Securing HTTP Requests

2•getvictor•7mo ago

I’ve been comparing two approaches to authenticating HTTP requests: mTLS and HTTP Message Signatures (like RFC 9421).

mTLS is fast and handled by the TLS layer, but has deployment complexity (e.g. certs, termination). HTTP signatures offer more flexibility at the app layer, but require custom logic and replay protection.

Currently, I'm on the HTTP Message Signatures train since it provides more flexibility to an app developer like me, and I don't have to worry about infrastructure such as load balancers. I can decide which API endpoints need signatures and which parts of the request will be signed.

Curious what others are using in production. How are you securing requests between services or devices? Any lessons from trying both?

Comments

p_ing•7mo ago

No sane infrastructure engineer would let you do anything other than TLS in production. Devs are largely untrusted to get security correct.

getvictor•7mo ago

Yes, I'm assuming you're always running TLS. The question is whether to use mTLS (mutual TLS) vs HTTP message signatures to verify that the request is coming from a trusted client.

getvictor•7mo ago

I wrote up the pros and cons of mTLS vs HTTP message signatures for additional client authentication here:

https://victoronsoftware.com/posts/mtls-vs-http-signature/

Discuss – Do AI agents deserve all the hype they are getting?

Ask HN: Anyone Using a Mac Studio for Local AI/LLM?

LLMs are powerful, but enterprises are deterministic by nature

Ask HN: Non AI-obsessed tech forums

Ask HN: Ideas for small ways to make the world a better place

Ask HN: 10 months since the Llama-4 release: what happened to Meta AI?

Ask HN: Who wants to be hired? (February 2026)

Ask HN: Who is hiring? (February 2026)

Ask HN: Non-profit, volunteers run org needs CRM. Is Odoo Community a good sol.?

AI Regex Scientist: A self-improving regex solver

Tell HN: Another round of Zendesk email spam

Ask HN: Is Connecting via SSH Risky?

Ask HN: Has your whole engineering team gone big into AI coding? How's it going?

Ask HN: Why LLM providers sell access instead of consulting services?

Ask HN: How does ChatGPT decide which websites to recommend?

Ask HN: What is the most complicated Algorithm you came up with yourself?

Ask HN: Is it just me or are most businesses insane?

Ask HN: Mem0 stores memories, but doesn't learn user patterns

Ask HN: Is there anyone here who still uses slide rules?

Kernighan on Programming

Ask HN: Anyone Seeing YT ads related to chats on ChatGPT?

Ask HN: Does global decoupling from the USA signal comeback of the desktop app?

Ask HN: Any International Job Boards for International Workers?

We built a serverless GPU inference platform with predictable latency

Ask HN: Does a good "read it later" app exist?

Ask HN: Have you been fired because of AI?

Ask HN: Anyone have a "sovereign" solution for phone calls?

Ask HN: Cheap laptop for Linux without GUI (for writing)

Ask HN: How Did You Validate?

Ask HN: OpenClaw users, what is your token spend?