Signing to prevent MIM attacks

Hello,
Am fairly new to Frappe. Been working only for the last 3-4 months.

Am in a situation where the data that is sent to the web (mostly API) needs to be signed. This is to ensure that there is no man-in-the-middle attacks.
For this am trying to figure out if Frappe has a way to intercept the calls before they are handed over to the api ?

Any help or hint would be greatly appreciated.

There are a few posts that talk about middleware that can be configured in hooks.py. But didn’t find any documentation of that in the frappe docs.

Thanks much

This isn’t supported out of the box but should be easy to implement.

Refer Hash-based Message Authentication Code (HMAC) - Docs

• For outgoing requests you can use requests library and sign the request data and set it as header.
• Setup after request hook if you need to sign responses: (frappe/frappe/app.py at 9dc560ad0c6060a86492a6cf6c2e89a7816a6db9 · frappe/frappe · GitHub)

TBH I don’t see MUCH point in signing the response… you can trust HTTPS/TLS to work.

Thanks very much @ankush
Full agree that in most cases HTTPS should be sufficient.
The particular business case demands me to implement signing as a security measure.

But your hints do help me a lot !

Thanks again.