We should prefer this header and probably fall back to the X-Hub-Signature header in the case that it's missing (in the case of maybe old Enterprise Server installations???)
I'm also a little conflicted about the current practice of requiring a secret to be set. I think there are probably legitimate use cases where a secret isn't needed and it makes some approaches to local dev and testing a bit more complicated. For now let's provide an interface to opt-out and give a more kind error message (right now I'm pretty sure we throw a relatively opaque KeyError 😞) in the case that the user has not opted out and the header is missing.
We should prefer this header and probably fall back to the
X-Hub-Signature
header in the case that it's missing (in the case of maybe old Enterprise Server installations???)I'm also a little conflicted about the current practice of requiring a secret to be set. I think there are probably legitimate use cases where a secret isn't needed and it makes some approaches to local dev and testing a bit more complicated. For now let's provide an interface to opt-out and give a more kind error message (right now I'm pretty sure we throw a relatively opaque
KeyError
😞) in the case that the user has not opted out and the header is missing.