Securing a get request using HMAC

[Mike Hogan]

Folks, I have written a general purpose HttpHandler that can check the authenticity of a request using HMAC.  However, it includes the http method and url only in the inputs to the signature (along with the secret key of course).  I am fearful there may be a way to exploit this that I am not aware of (by allowing the request headers to be changes), so I asked on stackoverflow, and am now cross posting here as this list is likely to really understand the issues (right? :) )

http://stackoverflow.com/questions/23605869/any-holes-in-securing-a-http-request-with-hmac-using-only-the-http-method-and-ur

Ta,

Mike.