2 min read
Definition
In a replay attack, an attacker captures a legitimate signed request and re-transmits it later. Because it was genuinely signed, a naive verifier accepts it. Credicorp includes the timestamp inside the HMAC and rejects anything outside a 300-second window, so a stale replay fails verification. Pair that with idempotency on the event id and a replay is harmless even within the window.
Frequently asked questions
How does the timestamp stop replays?
It is signed, so it cannot be altered, and old timestamps are rejected. A captured request goes stale within five minutes. See signature verification.
Funding for UK limited companies
Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.