todgru
commented
11 years ago +1
Open mjallday opened 11 years ago
todgru
commented
11 years ago +1
mahmoudimus
commented
11 years ago PoundPay did this when we first started out. I'll see if I can fit it in soon.
ajsharp
commented
11 years ago Yea, signing would be great. Definitely think that the client would need to support signature verification, or raise an exception for an invalid signature.
cyrusstoller
commented
11 years ago +1
machinshin
commented
11 years ago +1
bninja
commented
11 years ago should we use something like http://openid.net/specs/draft-jones-json-web-token-07.html?
satiani
commented
11 years ago +1
steveklabnik
commented
10 years ago Yeah, something like HMAC would make a lot of sense here.
kyle-eshares
commented
10 years ago 
mjallday
commented
10 years ago Looks like using the API key to do this would not work since there can be multiple API keys at any one time.
From the mandrill link they suggest each webhook having an authentication key which is used for signing and verifying the payloads. This sounds like a better approach.
We could also look at using a shared secret as suggested in #561
chadwhitacre
commented
10 years ago +1 from @Gittip. ref
chadwhitacre
commented
10 years ago From a security standpoint, what does signing requests provide that IP filtering doesn't? Is IP filtering secure?
mjallday
commented
10 years ago it's probably trivial for someone to intercept the request and change the header for the ip address the request is originating from. with signed requests you have to posses a something that no one else has or a shared secret.
kageurufu
commented
9 years ago A little late to the party, but its simple to spoof an X-Forwarded-For header as well
Each server should, per the spec, add its IP to the list, if the header is already provided. Thus, sending a request with that header already in place easily spoofs your outgoing IP. This means you can never trust that header to be accurate
Creating a separate issue that stems from requests on #70