gorush icon indicating copy to clipboard operation
gorush copied to clipboard
verified publisher icon appleboy

Web hook security issue

Open ivandotv opened this issue 3 years ago • 2 comments

Webhooks need to have some kind of protection otherwise, anyone on the internet can call them.

It would be great if the server when triggering the hook could send a custom header with a custom value, so we know that the hook is triggered by the real server.

ivandotv avatar Aug 05 '22 08:08 ivandotv

@ivandotv there is an easy way to secure web hook URL if provider doesn't support any kind of security header: via token in web hook URL. So, instead of using https://example.com/webhook you go with https://example.com/webhook/<SOME TOKEN HERE>. Then inside of web hook implementation you take token from parameters and validate it. Not saying that this is the best way to go, just sharing in case someone on the Internet will be looking for a good solution until we have some header based security implemented.

kimrgrey avatar Aug 15 '22 21:08 kimrgrey

We had success using a proxy with an authenticated username and password. A little annoying but works fine!

ColeTownsend avatar Aug 23 '22 21:08 ColeTownsend

I will take it.

appleboy avatar Dec 17 '22 14:12 appleboy

@appleboy Since a long time has passed and there are no updates, are you still taking on this issue? I can take it if you are not interested anymore.

ivandotv avatar Jul 05 '23 09:07 ivandotv

@ivandotv See the PR https://github.com/appleboy/gorush/pull/745 I will bump the next version asap.

appleboy avatar Jul 08 '23 03:07 appleboy

@ivandotv

core:
  port: "8088" # ignore this port number if auto_tls is enabled (listen 443).
  worker_num: 0 # default worker number is runtime.NumCPU()
  queue_num: 0 # default queue number is 8192
  max_notification: 100
  sync: false
- feedback_hook_url: ""
+ feedback_hook_url: "https://exemple.com/api/hook"
+ feedback_header:
+   - x-gorush-token:4e989115e09680f44a645519fed6a976

appleboy avatar Jul 08 '23 03:07 appleboy