CDN Artifact Body Signatures

[n1ru4l]

Background

Some customers require cryptographic verification of CDN-delivered artifacts to ensure the integrity and authenticity of responses served through the CDN cache. While HTTPS protects transport integrity, it does not allow clients to independently verify that the artifact body has not been modified by intermediaries or misconfigurations.

To address this requirement, responses served via CDN shoul include a cryptographic signature of the response body. Clients can then verify the signature using a published public key.

Proposal

Introduce response body signing for CDN artifacts, where the origin (or edge worker) generates a deterministic signature for the response body before the response is served.

The signature would be returned alongside the artifact in HTTP headers.

Suggested structure:

Content-Digest: sha-256=:<base64 digest>:
X-Body-Signature: :<base64 signature>:
X-Signature-Key-Id: <key-id>

• Content-Digest contains the SHA-256 digest of the response body
• X-Body-Signature is a signature over the digest using a private key
• X-Signature-Key-Id identifies the key used for signing

Clients verify the artifact by:

1. Computing the SHA-256 digest of the response body
2. Comparing it to Content-Digest
3. Verifying the signature using the corresponding public key

Open Questions

• How should public keys be distributed (JWKS, metadata endpoint, documentation)?
• Should signature verification tooling be provided in SDKs?