Open mjallday opened 11 years ago
+1
PoundPay did this when we first started out. I'll see if I can fit it in soon.
Yea, signing would be great. Definitely think that the client would need to support signature verification, or raise an exception for an invalid signature.
+1
+1
should we use something like http://openid.net/specs/draft-jones-json-web-token-07.html?
+1
Yeah, something like HMAC would make a lot of sense here.
Looks like using the API key to do this would not work since there can be multiple API keys at any one time.
From the mandrill link they suggest each webhook having an authentication key which is used for signing and verifying the payloads. This sounds like a better approach.
We could also look at using a shared secret as suggested in #561
+1 from @Gittip. ref
From a security standpoint, what does signing requests provide that IP filtering doesn't? Is IP filtering secure?
it's probably trivial for someone to intercept the request and change the header for the ip address the request is originating from. with signed requests you have to posses a something that no one else has or a shared secret.
A little late to the party, but its simple to spoof an X-Forwarded-For header as well
Each server should, per the spec, add its IP to the list, if the header is already provided. Thus, sending a request with that header already in place easily spoofs your outgoing IP. This means you can never trust that header to be accurate
Creating a separate issue that stems from requests on #70