Veracode APIs use a Hash-based Message Authentication Code (HMAC) with your Veracode API credentials to add an HMAC signature to the HTTP authorization header of each API request. This security measure provides maximum protection against man-in-the-middle and session replay attacks.
HMAC signing provides these added security benefits:
- Credentials, which consist of an API ID and key, are not sent in the clear as plain text. The API key is never transmitted, but encrypts the HMAC from the sender-side and decrypts it from the server-side.
- The HMAC signature validates that the message was not tampered with or altered in transit. Any change to the message invalidates the HMAC.
- The HMAC signature includes a nonce (one-time code) that prevents replay attacks.
Enable HMAC for the API Wrappers
The API wrappers are preconfigured with HMAC signing already enabled. After you generate and store your Veracode API credentials, you can use the Java or C# wrappers from the command line or in your code. The API wrappers are also the best way to troubleshoot your Veracode environment.
Veracode recommends that you always run the latest version of an API wrapper.
Enable HMAC for Using the REST APIs with Java
You can use any of these methods:
- Perform the external signing step on the command line using either the Java or Python tool or the Veracode API wrappers.
- Use one of the community-provided HMAC implementations: https://github.com/veracode/Veracode-Community-Projects#hmac-signing-libraries.
- Enable HMAC signing within your application.
Enable HMAC for Using the XML APIs from the Command Line
The cURL command-line tool does not support HMAC authentication, therefore Veracode provides support for the HTTPie command-line tool. To use HTTPie and HMAC authentication with the XML APIs:
- Download and install the Python programming language. Veracode recommends Python 3.7 or later. If you have a recommended version, you can omit this step. Otherwise, refer to the Python Wiki for advice on choosing a Python download.
- Install the Python Authentication Library.
- Download and install the HTTPie command-line tool.
Enable HMAC for Python Programs
Complete these tasks:
Enable HMAC for Java Programs
Complete these tasks:
Enable HMAC for C# Programs
Review the HMAC Signing Example in C#.