security - Handling empty request bodies for public/private key-based API -

I have a standard API on which the client has been verified with the requested body hashing with the private key is the key , And it is comparing the value of hash in the query string.

Example, the request body is "This request is a request body" , set it as hash as sha256 ('this request Request body '. PRIVATE_KEY) , and then the server will do the same to validate it.

How can I secure this authentication process if the request body is empty? Hasche has a hashed value of the private key, and can then be used again by anyone hearing the traffic for "blank" requests.

---

I am assuming that the only answer will be "Requesting material in the body", but maybe I'm missing something clearly.

First turn off, do not HASH (data + key) . With weaknesses it is known that it is OK that HMAC is designed for it. Then your hash will be:

  hash = hmac (shA256, data, personal)   
 Now, the general way to handle your question (how to stop replley attacks ) There are few ways to do this by adding a random factor for each request, but the one who works well is a  non-code based approach therefore:  
  Non = Random (16) Now = time () data = api_data + '|' + Non + '|' + Now hash = hmac (sha256, data, personal) apiCall = data '& amp; Nonce = '+ nonce +' & amp; Time = '+ now +' & amp; Sig = '+ hash]   
 Then, on the receiving side, you keep track of the list of the fortune seen in the last 30 seconds. If you have one that you have seen, then reject the API call (because it will be a replay attack) If you get one that is more than 30 seconds, then reject the API call.  
  if (now   
 And then you can purify the database every 30 seconds (on a cron job) or every week, really does not make any difference. Depending on how active your API is.  
 The key here is that even when you are valid, you still want to keep track of non, otherwise you will be less vulnerable to the attack ...   < / Html>