mTLS vs. HTTP Message Signatures: Tradeoffs in Securing HTTP Requests

2•getvictor•7mo ago

I’ve been comparing two approaches to authenticating HTTP requests: mTLS and HTTP Message Signatures (like RFC 9421).

mTLS is fast and handled by the TLS layer, but has deployment complexity (e.g. certs, termination). HTTP signatures offer more flexibility at the app layer, but require custom logic and replay protection.

Currently, I'm on the HTTP Message Signatures train since it provides more flexibility to an app developer like me, and I don't have to worry about infrastructure such as load balancers. I can decide which API endpoints need signatures and which parts of the request will be signed.

Curious what others are using in production. How are you securing requests between services or devices? Any lessons from trying both?

Comments

p_ing•7mo ago

No sane infrastructure engineer would let you do anything other than TLS in production. Devs are largely untrusted to get security correct.

getvictor•7mo ago

Yes, I'm assuming you're always running TLS. The question is whether to use mTLS (mutual TLS) vs HTTP message signatures to verify that the request is coming from a trusted client.

getvictor•7mo ago

I wrote up the pros and cons of mTLS vs HTTP message signatures for additional client authentication here:

https://victoronsoftware.com/posts/mtls-vs-http-signature/

Haskell for all: Beyond agentic coding

Dorsey's Block cutting up to 10% of staff

Show HN: Freenet Lives – Real-Time Decentralized Apps at Scale [video]

In the AI age, 'slow and steady' doesn't win

Administration won't let student deported to Honduras return

How were the NIST ECDSA curve parameters generated? (2023)

AI, networks and Mechanical Turks (2025)

Goto Considered Awesome [video]

Show HN: I Built a Free AI LinkedIn Carousel Generator

Implementing Auto Tiling with Just 5 Tiles

Open Challange (Get all Universities involved

Apple Tried to Tamper Proof AirTag 2 Speakers – I Broke It [video]

Show HN: Isolating AI-generated code from human code | Vibe as a Code

Show HN: More beautiful and usable Hacker News

Toledo Derailment Rescue [video]

War Department Cuts Ties with Harvard University

Show HN: LocalGPT – A local-first AI assistant in Rust with persistent memory

A Bid-Based NFT Advertising Grid

AI readability score for your documentation

NASA Study: Non-Biologic Processes Don't Explain Mars Organics

I inhaled traffic fumes to find out where air pollution goes in my body

X said it would give $1M to a user who had previously shared racist posts

155M US land parcel boundaries

Private Inference

Font Rendering from First Principles

Show HN: Seedance 2.0 AI video generator for creators and ecommerce

Wally: A fun, reliable voice assistant in the shape of a penguin

Rewriting Pycparser with the Help of an LLM

Lobsters Vibecoding Challenge

E-Commerce vs. Social Commerce