From 124d8f3c812b3ff5575f686c65fb2af0e5ebd466 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Nov 18 2016 09:50:49 +0000 Subject: Update documentation to indicate only the X-Pagure-Topic header is unsigned Signed-off-by: Patrick Uiterwijk --- diff --git a/doc/usage/using_webhooks.rst b/doc/usage/using_webhooks.rst index 34469c2..2c1b8ec 100644 --- a/doc/usage/using_webhooks.rst +++ b/doc/usage/using_webhooks.rst @@ -24,6 +24,10 @@ Each POST request made contains two specific headers: ``X-Pagure-Topic`` is a global header giving a clue about the type of action that just occurred. For example ``issue.edit``. +.. warning:: This header is present for convenience only, it is not + signed and therefore should not be trusted. Rely on the payload + after checking the signature to make any decision. + ``X-Pagure-Signature`` contains the signature of the message allowing to check that the message comes from pagure. @@ -31,10 +35,6 @@ check that the message comes from pagure. ``X-Pagure-Signature-256`` contains the SHA-256 signature of the message allowing to check that the message comes from pagure. -.. warning:: These headers are present for convenience only, they are not - signed and therefore should not be trusted. Rely on the payload - after checking the signature to make any decision. - Pagure relies on ``hmac`` to sign the content of its messages. If you want to validate the message, in python, you can do something like the following: