fix: exclude signature and auth headers from webhook payload capture
_captured_headers was storing all x-* headers including X-Hub-Signature-256 and X-Webhook-Signature. Since stored headers are exposed via the payload read endpoint, this enabled replay attacks without knowing the webhook secret. Now signature and authorization headers are excluded from capture. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Hugh Brown
committed by
Abhimanyu Saharan
Abhimanyu Saharan
parent
fcbde9b0e1
commit
af094ad11a
@@ -203,10 +203,19 @@ def _verify_webhook_signature(
|
||||
)
|
||||
|
||||
|
||||
_REDACTED_HEADERS = frozenset({
|
||||
"x-hub-signature-256",
|
||||
"x-webhook-signature",
|
||||
"authorization",
|
||||
})
|
||||
|
||||
|
||||
def _captured_headers(request: Request) -> dict[str, str] | None:
|
||||
captured: dict[str, str] = {}
|
||||
for header, value in request.headers.items():
|
||||
normalized = header.lower()
|
||||
if normalized in _REDACTED_HEADERS:
|
||||
continue
|
||||
if normalized in {"content-type", "user-agent"} or normalized.startswith("x-"):
|
||||
captured[normalized] = value
|
||||
return captured or None
|
||||
|
||||
Reference in New Issue
Block a user