If I send the following response more than once to an untrusted party:
{c, v, HMAC(c + v)}
where c is the same value from response to response.
where v varies from response to response.
where + is a concatenation.
Does having the constant as the start of the HMAC input "weaken" the HMAC?
Is it safer to compute the HMAC with the varying argument first:
{c, v, HMAC(v + c)}
or perhaps doesn't matter?
It doesn't matter. HMAC is designed specifically to address prefix attacks, among others.