Recalculate `Digest` header upon receiving an activity
aumetra opened this issue · comments
This has to be done to prevent attacks, such as MITM attacks, where the attacker intercepts a delivery POST request and replaces the payload with their own activity.
Right now, we don't do any digest recalculation, which means we are technically susceptible to this kind of attack.
Pretty easily solvable by writing and plugging in a custom Tower middleware on the inbox route.
Extension of #195