Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Have invalid signature transmit 404 error instead of forbidden #37

Open
mockdeep opened this issue Jan 6, 2016 · 2 comments
Open

Have invalid signature transmit 404 error instead of forbidden #37

mockdeep opened this issue Jan 6, 2016 · 2 comments

Comments

@mockdeep
Copy link

mockdeep commented Jan 6, 2016

It would be nice if we could have our webhook render a generic 404 message to not give malicious attackers any information about what is going on.

@tardate
Copy link
Member

tardate commented Jan 11, 2016

@mockdeep that's a good idea. At the moment we probably give away TMI:

context "with invalid key" do
  ...
  expect(processor_instance).to receive(:head).with(:forbidden, :text => "Mandrill signature did not match.")

I'm open to suggestions:

  • just change this to a generic 404
  • or make this a configurable behaviour?

@mockdeep
Copy link
Author

@tardate, I don't have a strong opinion one way or another. If I were to guess, I would say it's probably safe and simpler to just change it to a 404. It might be a little more confusing for someone debugging their webhook, though, so not sure if you want to maintain both options. I could see something like:

authenticate_with_mandrill_keys! 'YOUR_MANDRILL_WEBHOOK_KEY', fail_with: :not_found

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants