search

twilio-labs / twilio-aspnet

Integrate Twilio Programmable Messaging and Voice with ASP.NET Respond to webhooks with TwiML in seconds
Apache License 2.0
59 stars 30 forks source link

Add `Enabled` option for request validation, in favor of `AllowLocal` (please provide feedback) #124

Open Swimburger opened 1 year ago

Swimburger commented 1 year ago

Recently, the default value for AllowLocal has been changed from true to false. This was because AllowLocal makes the request validation vulnerable to Server-Side Request Forgery.

Maybe it makes more sense to build in a kill-switch to turn on/off request validation as a whole, instead of AllowLocal. This option would respect .NET configuration's reloadOnChange feature, so it can be changed without having to restart the application.

I'm just thinking out loud here and would like feedback, thank you!

dkrasnove commented 1 month ago

I second this. I have to use a workaround because I'm running locally in docker.