Practise the standard verbs for signing and verifying API requests.
0 / 5 completed
1 / 5
Fill in: 'We ___ every outbound request with an HMAC signature so the receiving service can confirm it wasn't tampered with.'
We 'sign a request' — the standard, established API security collocation for attaching a cryptographic signature. The other options aren't the recognised term here.
2 / 5
Fill in: 'Skipping a timestamp in the signed payload can ___ an old, valid signature replayed indefinitely by an attacker.'
We say a missing timestamp will 'let' replay happen — the standard, natural collocation for the resulting gap. The other options aren't idiomatic here.
3 / 5
Fill in: 'We ___ the incoming signature against a freshly computed one before trusting any part of the request body.'
We 'verify a signature' — the standard, established collocation for validating a cryptographic proof. The other options aren't the recognised term here.
4 / 5
Fill in: 'We ___ the signing secret out of source control entirely and load it only from a secrets manager at runtime.'
We 'keep' a secret out — the standard, simple collocation for maintaining a security boundary. The other options are less idiomatic here.
5 / 5
Fill in: 'We ___ a short validity window on each signed request so a captured signature expires within seconds, not hours.'
We 'enforce' a window — the standard, established collocation for requiring a bounded time constraint. The other options aren't the recognised term here.