Hello Internet Computer community!
I’m excited to introduce to you today a new version of response verification for the HTTP Gateway Protocol. This is something that has been pending for quite some time now so I’m delighted to finally have the opportunity to share this with you all.
I’ll be talking more about this at today’s public Global R&D so make sure to tune in if you’re interested in learning more.
What Is Response Verification?
I’m glad you asked!
Response verification is how HTTP Gateways ensure that the assets required to run your frontend dApps in a web browser are delivered in a secure and efficient way. Without response verification, HTTP Gateways would either need to choose between the slow, but secure update calls, or the fast, but less secure query calls. Using response verification, HTTP Gateways can deliver assets to your web browser with the performance of query calls and the security of update calls.
If you’re unfamiliar with HTTP Gateways, now’s a good time to familiarize yourself. You can read more about HTTP Gateways in the wiki and the interface spec.
Issues with Response Verification V1
As great as response verification v1 is, it has its limitations. When the HTTP Gateway performs response verification it is only performed on the response body, so HTTP status codes or headers are not taken into account. This makes it dangerous to do many things that are considered standard in web2 development, like using cache headers or performing redirects.
What would happen if response headers were trusted without verifying them? A malicious replica could insert cache headers with an expiration date really far in the future and that bug you deployed last week would remain cached in your end user’s browsers for a very long time! A malicious replica could also perform a redirect that would bring your users to a phishing website that would steal their fungies or Cubetopia land plot!
So it’s important that we are very careful with what we trust and do not trust from a replica. To ensure security for assets now, we either need to avoid relying on headers or to use the slower update calls to perform certain functions.
Solutions Provided By Response Verification V2
Enter, response verification v2! Response verification v2 allows all kinds of new things to be included in response verification. This includes request methods, headers and query parameters, response headers and status code. Pretty cool, right?
Now it’s much safer and faster (faster is always better, right?) to leverage response headers to their full potential. Using update calls for redirects will be a thing of the past and caching integration for the Service Worker is already on its way! Paths that have dynamic content (translations for example) can now return one of many responses for the same request URL, this wasn’t safe to do before without update calls.
How To Upgrade
So, you must be excited to start using this now. Support for response verification v2 in the DFX asset canister will be available in DFX version 0.14.0. This is due to be released in the coming weeks. Users of the DFX asset canisters will only need to upgrade their version of DFX, deploy their asset canister again and they will automatically have support for response verification v2. Of course, this is all done in a backwards compatible way so there won’t be any panic to upgrade, although I would encourage everyone to leverage these awesome new features as soon as they can!
For those with custom asset canisters, you can roll your own implementation at any point. The SDK’s Certified Assets library and the specification can act as points of reference for this. Alternatively, we’ll soon start work on a supportive library that can be used by custom asset canisters to make this custom implementation much easier. We’ll also make sure to provide ample documentation for this!
Wrapping Up
Thanks for taking the time to read through this. It’s been a pleasure to work on this project and I hope you’re as excited about this as I am! While we wait for the final pieces to come together, here’s some extra links for all the curious cats out there that want to know more: