(Thanks to Florian Apolloner for reminding me to add this protection.)Īuthentication is very important for webhook receivers since they are on the public web, and anyone could potentially discover them. This prevents timing attacks from retrieving our secret token. Unlike normal string comparison, this is guaranteed to take the same amount of time no matter the input string. We use pare_digest() to perform the comparison. If the two do not match, we can reject the incoming message. We check this header against the token they should be using, which we store in an environment variable and read in our settings.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |