WAF HMAC without timestamp

Currently WAF for Pro-and-above zones has such a neat feature as a HMAC validation for WAF. It would be a great universal tool, if it wouldn’t require the validated message to end on a timestamp (or, specifically, 10 digits), which ruins usefulness of a feature for validating external HMAC’s (ie, which are provided by a third party), if the message doesn’t have exactly 10 digits in the end.

Is there any chance a non-timed HMAC comes to a pro plan?

At the moment, Cloudflare requires a timestamp in HMAC validation functions to prevent replay attacks and ensure data freshness. I am not aware of any immediate plan to introduce non-timestamped HMAC validation, but I recommend sharing your use case and feedback in the #feedback:feature-request section of the community.

Right now, if you’d like to perform custom HMAC validation on Cloudflare, you could consider using Cloudflare Workers. The WebCrypto API would allow you to validate untimed HMAC. Here’s an example of how to use HMAC in Cloudflare Workers: Sign requests · Cloudflare Workers docs.

1 Like