cc50b35ca3
All checks were successful
check / check (push) Successful in 1m44s
Add explicit tests proving that HMAC-SHA256 signatures verify against exact URLs only — no suffix matching, wildcard matching, or partial matching is supported. A signature for cdn.example.com will not verify for example.com, images.example.com, or any other host. Changes: - signature.go: Add documentation comments on Verify() and buildSignatureData() specifying exact-match semantics - signature_test.go: Add TestSigner_Verify_ExactMatchOnly (14 tamper cases covering host, path, query, dimensions, format) and TestSigner_Sign_ExactHostInData (verifies suffix-related hosts produce distinct signatures) - service_test.go: Add TestService_ValidateRequest_SignatureExactHostMatch (integration test verifying ValidateRequest rejects signatures when host differs — parent domain, sibling subdomain, deeper subdomain, evil suffix, prefixed host) - README.md: Document exact-match-only behavior in Signature section Does NOT modify whitelist.go or any whitelist-related code.