Is there a way for server to enforce the headers?

[yanfali]

Thank you for this plugin. I've been looking over the code and wondering if there's a way to specify a minimum list of headers that the server can require in the plugin. If I'm reading the code correctly, it appears the client can choose which headers are used to calculate the HMAC and the server won't enforce any minimum set of headers while parsing the Auth string. Did I misunderstand that?

My concern is this could lead to a downgrade attack, where an incorrectly configured client could just specify fewer fields, and the server would happily honor the request. I assume specifying more fields means you potentially have more entropy and the hmac is more resistant to attacks?

Also if I understand the spec correctly, one would need to issue an OPTIONS request, much like CORS, to get a list of the headers needed for the signature?