It is important to add an extra layer of security over the /published webhook as it is the most important and the sole entrypoint to sending email newsletters.
Currently, it is not at all trivial to send some garbage content to the webhook which will be sent to all of the members.
Ofc, it involves finding the main domain that hosts Ghosler but even that isn't trivial if you use Track URL Clicks option.
Proposal
Use a Secret provided by the user to create the Webhook on Ghost & perform authorization on Ghosler when the webhook endpoint receives content.
It is important to add an extra layer of security over the
/published
webhook as it is the most important and the sole entrypoint to sending email newsletters.Currently, it is not at all trivial to send some garbage content to the webhook which will be sent to all of the members. Ofc, it involves finding the main domain that hosts Ghosler but even that isn't trivial if you use
Track URL Clicks
option.Proposal
Use a
Secret
provided by the user to create the Webhook on Ghost & perform authorization on Ghosler when the webhook endpoint receives content.