Appendix B - Checksum Verification

Checksum Calculation

For every file that is generated, a checksum is calculated that an end user can use to verify that the data the File API sends is the same data that the end user receives. The checksum is calculated by taking a SHA256 hash of the entire body of the data.

Consider the following example:

body = "Content of the entire body"
checksum = sha256(body)

The content of this checksum will be available in an HTTP response header:

X-Content-SHA256: 9a10d0d87605c548b79aca621c4beb46b54f34ec9ae6b055d4baecd0254a2917

Checksum Verification

To verify that the data received is correct, follow the above steps in the checksum calculation. Compute a SHA256 hash of the entire body that is received. Then compare this value to the value in the X-Content-SHA256 response header. This would look like:

calculated_checksum = sha256(received_body)
header_checksum = response.headers['X-Content-SHA256']
if calculated_checksum != header_checksum:
    #abort, retry, fail

Checksum Match

If the checksum the end user calculates is the same provided in the header, then the data received is correct and has not been modified or truncated.

Checksum Mismatch

If on the other hand the checksum does not match the value provided in the header, it is likely that the data, checksum, or both, have been altered along the way, and the data should not be used. In this case the data should be re-requested and checked again.