free-email-forwarding icon indicating copy to clipboard operation
free-email-forwarding copied to clipboard

Published 20 hours ago verified publisher icon forwardemail

[feat] webhook payload signature verification

Open cauethenorio opened this issue 3 years ago • 5 comments

Currently, when my application receives the webhook payload sent by free-email-forwarding there's no way to validate the request authenticity.

It would be nice if it has some validation field, like the signature one which mailgun uses in their webhooks: https://documentation.mailgun.com/en/latest/user_manual.html?highlight=signature#webhooks

Thanks for building this awesome project and making it open-source @niftylettuce!

cauethenorio avatar Aug 18 '20 19:08 cauethenorio

You could verify the request came from mx1.forwardemail.net or mx2.forwardemail.net resolved IP addresses. I will add a signature or something as soon I can. Trying to ship the browser extension among other things. Thanks for raising this point @cauethenorio.

niftylettuce avatar Aug 18 '20 19:08 niftylettuce

Hey @niftylettuce, is this still on the roadmap or are there other solutions for that now?

m4rvr avatar May 01 '24 18:05 m4rvr

Will see what we can do!

titanism avatar May 01 '24 18:05 titanism

Another solution is to just check that the IP resolved that it's coming from resolves to mx1.forwardemail.net or mx2.forwardemail.net in a reverse lookup. You can get the IP's specifically from dig mx1.forwardemail.net a or dig mx2.forwardemail.net a, so you could hard code it's from those specific IP addresses (or hostname in reverse lookup).

titanism avatar May 01 '24 18:05 titanism

Thanks for your fast response. Checking the IP works for me. :)

m4rvr avatar May 01 '24 18:05 m4rvr