diff --git a/.circleci/config.yml b/.circleci/config.yml
index ee50d98..5d76f93 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -3,7 +3,7 @@ version: 2.1
 executors:
   build-executor:
     docker:
-      - image: ubuntu:20.04
+      - image: ubuntu:24.04
     resource_class: small
 jobs:
   build:
@@ -26,7 +26,7 @@ jobs:
       - run:
           name: Build and test
           command: |
-            export NGINX_VERSION=1.18.0
+            export NGINX_VERSION=1.28.0
             export LD_LIBRARY_PATH=/lib:/usr/lib:/usr/local/lib    
             make prepare-travis-env nginx test
 
diff --git a/.gitignore b/.gitignore
index 2a8de2e..3499f61 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
 /.cmocka_build
 /test_suite
+.aider*
diff --git a/aws_functions.h b/aws_functions.h
index dfe95f3..c1616ad 100644
--- a/aws_functions.h
+++ b/aws_functions.h
@@ -24,8 +24,9 @@
 #define __NGX_AWS_FUNCTIONS_INTERNAL__H__
 
 #include <time.h>
-#include <ngx_times.h>
+#include <ngx_config.h>
 #include <ngx_core.h>
+#include <ngx_times.h>
 #include <ngx_http.h>
 
 #include "crypto_helper.h"
@@ -146,6 +147,11 @@ static inline const ngx_str_t* ngx_aws_auth__canonize_query_string(ngx_pool_t *p
 	for(i = 0; i < query_string_args->nelts; i++) {
 		qs_arg = &((header_pair_t*)query_string_args->elts)[i];
 
+        if(i > 0) {
+            *(retval->data + retval->len) = '&';
+            retval->len++;
+        }
+
 		ngx_memcpy(retval->data + retval->len, qs_arg->key.data, qs_arg->key.len);
 		retval->len += qs_arg->key.len;
 
@@ -154,11 +160,7 @@ static inline const ngx_str_t* ngx_aws_auth__canonize_query_string(ngx_pool_t *p
 
 		ngx_memcpy(retval->data + retval->len, qs_arg->value.data, qs_arg->value.len);
 		retval->len += qs_arg->value.len;
-
-		*(retval->data + retval->len) = '&';
-		retval->len++;
 	}
-	retval->len--;
 
   safe_ngx_log_error(req, "canonical qs constructed is %V", retval);
 
diff --git a/crypto_helper.h b/crypto_helper.h
index 072ef28..df2f3ff 100644
--- a/crypto_helper.h
+++ b/crypto_helper.h
@@ -1,7 +1,7 @@
 #ifndef __NGX_AWS_AUTH__CRYPTO_HELPER__
 #define __NGX_AWS_AUTH__CRYPTO_HELPER__
 
-
+#include <ngx_config.h>
 #include <ngx_core.h>
 #include <ngx_palloc.h>
 
diff --git a/crypto_helper_openssl.c b/crypto_helper_openssl.c
index b62785b..7a57671 100644
--- a/crypto_helper_openssl.c
+++ b/crypto_helper_openssl.c
@@ -20,19 +20,44 @@ static const EVP_MD* evp_md = NULL;
 ngx_str_t* ngx_aws_auth__sign_sha256_hex(ngx_pool_t *pool, const ngx_str_t *blob,
     const ngx_str_t *signing_key) {
 
-    unsigned int      md_len;
     unsigned char     md[EVP_MAX_MD_SIZE];
-	ngx_str_t *const retval = ngx_palloc(pool, sizeof(ngx_str_t));
+    unsigned int      md_len;
+    ngx_str_t *const retval = ngx_palloc(pool, sizeof(ngx_str_t));
+    HMAC_CTX *ctx = NULL;
+
+    if (evp_md == NULL) {
+        evp_md = EVP_sha256();
+    }
+
+    ctx = HMAC_CTX_new();
+    if (ctx == NULL) {
+        return NULL;
+    }
+
+    if (!HMAC_Init_ex(ctx, signing_key->data, signing_key->len, evp_md, NULL)) {
+        HMAC_CTX_free(ctx);
+        return NULL;
+    }
+
+    if (!HMAC_Update(ctx, blob->data, blob->len)) {
+        HMAC_CTX_free(ctx);
+        return NULL;
+    }
 
-    if (evp_md==NULL) {
-       evp_md = EVP_sha256();
+    if (!HMAC_Final(ctx, md, &md_len)) {
+        HMAC_CTX_free(ctx);
+        return NULL;
     }
 
-    HMAC(evp_md, signing_key->data, signing_key->len, blob->data, blob->len, md, &md_len);
-	retval->data = ngx_palloc(pool, md_len * 2 + 1);
-	retval->len = md_len * 2;
-	ngx_hex_dump(retval->data, md, md_len);
-	return retval;
+    HMAC_CTX_free(ctx);
+
+    retval->data = ngx_palloc(pool, md_len * 2 + 1);
+    if (retval->data == NULL) {
+        return NULL;
+    }
+    retval->len = md_len * 2;
+    ngx_hex_dump(retval->data, md, md_len);
+    return retval;
 }
 
 ngx_str_t* ngx_aws_auth__hash_sha256(ngx_pool_t *pool, const ngx_str_t *blob) {
@@ -40,29 +65,32 @@ ngx_str_t* ngx_aws_auth__hash_sha256(ngx_pool_t *pool, const ngx_str_t *blob) {
     unsigned int hash_len;
     ngx_str_t *const retval = ngx_palloc(pool, sizeof(ngx_str_t));
 
-    EVP_MD_CTX *mdctx;
-    mdctx = EVP_MD_CTX_new();
-    
+    EVP_MD_CTX *mdctx = EVP_MD_CTX_new();
     if (mdctx == NULL) {
-        // Handle error
         return NULL;
     }
 
-    if((mdctx = EVP_MD_CTX_create()) == NULL)
-        return NULL;
-
-    if(1 != EVP_DigestInit_ex(mdctx, EVP_sha256(), NULL))
+    if (1 != EVP_DigestInit_ex(mdctx, EVP_sha256(), NULL)) {
+        EVP_MD_CTX_free(mdctx);
         return NULL;
+    }
 
-    if(1 != EVP_DigestUpdate(mdctx, blob->data, blob->len))
+    if (1 != EVP_DigestUpdate(mdctx, blob->data, blob->len)) {
+        EVP_MD_CTX_free(mdctx);
         return NULL;
+    }
 
-    if(1 != EVP_DigestFinal_ex(mdctx, hash, &hash_len))
+    if (1 != EVP_DigestFinal_ex(mdctx, hash, &hash_len)) {
+        EVP_MD_CTX_free(mdctx);
         return NULL;
+    }
 
     EVP_MD_CTX_free(mdctx);
 
     retval->data = ngx_palloc(pool, hash_len * 2 + 1);
+    if (retval->data == NULL) {
+        return NULL;
+    }
     retval->len = hash_len * 2;
     ngx_hex_dump(retval->data, hash, hash_len);
     return retval;
diff --git a/ngx_http_aws_auth.c b/ngx_http_aws_auth.c
index bbd486d..a77adc0 100644
--- a/ngx_http_aws_auth.c
+++ b/ngx_http_aws_auth.c
@@ -176,7 +176,7 @@ ngx_http_aws_proxy_sign(ngx_http_request_t *r)
             continue;
         }
 
-        h = ngx_list_push(&r->headers_in.headers);
+        h = ngx_list_push(&r->headers_out.headers);
         if (h == NULL) {
             return NGX_ERROR;
         }
diff --git a/vendor/cmocka b/vendor/cmocka
index f5e2cd7..eba4d6f 160000
--- a/vendor/cmocka
+++ b/vendor/cmocka
@@ -1 +1 @@
-Subproject commit f5e2cd77c88d9f792562888d2b70c5a396bfbf7a
+Subproject commit eba4d6ffca53b500ab8dfabc30256bb6c3088b2b