9 Apr 2020

Checking integrity of uploads with SHA-1

SHA-1 checksum is widely used to check the integrity of uploads and downloads. It's available for all major languages and generates a hexadecimal value that represents the message (in this case, the file). As the app knows this value locally (before upload), it can check if the value on the server is the same, ensuring no data was corrupted during the upload. Same if valid for downloads.

This was always available for uploads to Forge OSS, but until now the app would need to upload and then check the response for the sha1 attribute, which works, but requires explicit check by the caller.

Now the upload endpoint also accepts a x-ads-content-sha1 optional request header. If provided, the server (Forge) will check if it matches, and if it doesn't, it will fail and return status code 400. This prevents the upload of corrupted data. The response will also include the server calculated SHA-1 via x-ads-content-sha1 header, which can be use to verify on the caller (app).

Both single upload and resumable upload now accept and return this header. Please refer to the documentation for more details.

Note: the request header is optional, therefore it will not affect existing apps. The response header will always be present, but should not affect apps.

Related Article