free-email-forwarding
free-email-forwarding copied to clipboard
[feat] webhook payload signature verification
Currently, when my application receives the webhook payload sent by free-email-forwarding
there's no way to validate the request authenticity.
It would be nice if it has some validation field, like the signature
one which mailgun uses in their webhooks:
https://documentation.mailgun.com/en/latest/user_manual.html?highlight=signature#webhooks
Thanks for building this awesome project and making it open-source @niftylettuce!
You could verify the request came from mx1.forwardemail.net or mx2.forwardemail.net resolved IP addresses. I will add a signature or something as soon I can. Trying to ship the browser extension among other things. Thanks for raising this point @cauethenorio.
Hey @niftylettuce, is this still on the roadmap or are there other solutions for that now?
Will see what we can do!
Another solution is to just check that the IP resolved that it's coming from resolves to mx1.forwardemail.net
or mx2.forwardemail.net
in a reverse lookup. You can get the IP's specifically from dig mx1.forwardemail.net a
or dig mx2.forwardemail.net a
, so you could hard code it's from those specific IP addresses (or hostname in reverse lookup).
Thanks for your fast response. Checking the IP works for me. :)