Require a valid HMAC token
This example uses HMAC token authentication to protect a static private asset hosted by
http.request.uri for this example is
/download/cat.jpg?represents the path to the asset—the HMAC message to authenticate
?verify=is the separator between the path to the asset and the timestamp when the HMAC token was issued
1484063787represents the timestamp when the token was issued, expressed as Unix time in seconds
9JQB8vP1z0yc5DEBnH6JGWM3mBmvIeMrnnxFi3WtJLE%3Dis a base64-encoded MAC
The firewall rule below blocks requests to
example.com that do not include a valid HMAC.
is_timed_hmac_valid_v0() function compares the value of a MAC generated using
secretKey to the value encoded in
If the MAC values match and
http.request.timestamp.sec < (timestamp-issued + 10800)
then the token is valid and the function returns
Since the expression in this example uses the
not operator, it only matches when the HMAC token is not valid. When the token is not valid, the Cloudflare triggers the action and blocks the request.
Protecting multiple paths using the same secret
You can use the same secret key to protect multiple URI paths.
This is illustrated in the example above, where
http.request.uri is passed as the MessageMAC argument to the validation function.
http.request.uri includes the path to the asset and that value is extracted for each request, the validation function evaluates all request URIs to
downloads.example.com using the same secret key.
Note that while you can use the same secret key to authenticate multiple paths, you must generate an HMAC token for each unique message you want to authenticate.