silverpill2. Activity-Level Origin Checks
Same-origin is checked rather than exact equality so that servers with multiple actors can sign on behalf of any of their actors — a common legitimate pattern.
For incoming activities, consider checking exact equality. See FEP-fe34, section "Signatures":
In order to minimize damage in the event of a key compromise or insufficient validation, consumers MUST verify that the signing key has the same owner as the signed object. Consumers MUST also confirm the ownership of the key by verifying a reciprocal claim.
This is not strictly necessary, but would help if the origin server does poor job at validating user input.
3. Embedded Object Origin Checks
Owner origin: the object's owner (actor for Activity subtypes, attributedTo for Notes/Objects) must be same-origin as the signing actor. Anonymous objects (no owner field) are accepted.
In this case I also recommend checking owner ID equality, as a rule of thumb. Because origin servers implementing C2S API may fail to validate all embedded objects (which can be deeply nested).
Response body size limits
You may also need to limit the number of redirects and set a timeout. Some HTTP libraries have bad defaults.
By the way, I collect such recommendations in this guide: https://codeberg.org/ap-next/ap-next/src/branch/main/guide.md#network. Contributions are welcome!
All GNU social JP content and data are available under the