Validate date header to protect against replay attacks

[cveilleux]

The http-signature security audit recommends that server implementations validate the required Date header to be within a 5 minutes skew interval.

https://web-payments.org/specs/source/http-signatures-audit/#replay-http

Excerp:

As the default scheme is to include the Date header in the signature, service providers SHOULD protect against logged replay attacks by enforcing a clock skew. The server SHOULD be synchronized with NTP, and the recommendation is to allow 300 seconds of clock skew (in either direction).