---
title: "Content Signature"
slug: "content-signature"
updated: 2026-01-02T05:42:20Z
published: 2026-01-02T05:42:20Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://traceabledocs.document360.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Content Signature

Content Signature is an authentication method in which the request body is hashed and then signed with a private key. The resulting signature is included in the request, usually as a header. The server verifies this signature using the corresponding public key. If the signature is valid, the server accepts and processes the request; if not, the server rejects it.

### Configurations

Content signature authentication mechanism has the following configurations:

| Configuration | Description |
| --- | --- |
| **Header Key** | The hashed content signature. |
| **Private Key** | The key to generating the digital signature. |

---

## Example

The following are some samples that you can use to configure the *Content Signature* mechanism in the Advanced mode:

### Sample 1

```python
import hmac
import hashlib

def content_signature_prehook(scanctx: ScanContext, pluginctx: PluginContext, testcase: TestCase, **kwargs) -> list[Assertion]:
    attributes = testcase.get_attributes()
    login_url = "login_url"
    secret_key = "your_secret_key"
    header_name = "your_header_key"

    # set user
    normal_user = True
    bola_user = False

    payload = attributes.get_one("mutated.http.request.body", default="")
    signature = hmac.new(secret_key.encode(), payload.encode(), hashlib.sha256).hexdigest()
    attributes.set("mutated.auth.attribute", "mutated.http.request.header." + header_name)

    if normal_user:
        attributes.set("mutated.role.user", signature)
        attributes.set("mutated.http.request.header." + header_name, signature)
    if bola_user:
        attributes.set("mutated.role.bolauser", signature)
    return []
```