- const headers = req.method === 'POST'
- ? HTTP_SIGNATURE.REQUIRED_HEADERS.POST
- : HTTP_SIGNATURE.REQUIRED_HEADERS.ALL
+ const requiredHeaders = req.method === 'POST'
+ ? [ '(request-target)', 'host', 'digest' ]
+ : [ '(request-target)', 'host' ]
+
+ const parsed = httpSignature.parse(req, { clockSkew, headers: requiredHeaders })
+
+ const parsedHeaders = parsed.params.headers
+ if (!parsedHeaders.includes('date') && !parsedHeaders.includes('(created)')) {
+ throw new Error(`date or (created) must be included in signature`)
+ }