View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0010273 | Taler | merchant backend | public | 2025-08-22 16:08 | 2025-08-22 16:25 |
| Reporter | Bohdan | Assigned To | Bohdan | ||
| Priority | normal | Severity | feature | Reproducibility | always |
| Status | feedback | Resolution | open | ||
| Product Version | git (master) | ||||
| Summary | 0010273: Adding security header to the webhook | ||||
| Description | That would be nice if the webhooks could be checked against the specific header, in the opposite to checking that the webhook comes from the allowed list of IPs. A.k.a on posting of the webhook user sets the webhook_token header option with some value (e.g. megasecuretoken) and on every webhook call from the merchant backend, the request must have something as X-Taler-Merchant-Webhook-Token, which contains either a hash or the same header option value (e.g. megasecuretoken) | ||||
| Additional Information | Something similar is implemented at the Telegram bot api https://core.telegram.org/bots/api#setwebhook "If you'd like to make sure that the webhook was set by you, you can specify secret data in the parameter secret_token. If specified, the request will contain a header “X-Telegram-Bot-Api-Secret-Token” with the secret token as content." | ||||
| Tags | No tags attached. | ||||
|
|
I'm not sure I understand -- https://docs.taler.net/core/api-merchant.html#webhooks allows the client to specify arbitrary HTTP headers to be sent together with the Webhook. So obviously one could configure some "security" header here as well. So what are you asking for that is not already covered by this feature? |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2025-08-22 16:08 | Bohdan | New Issue | |
| 2025-08-22 16:25 | Christian Grothoff | Note Added: 0025680 | |
| 2025-08-22 16:25 | Christian Grothoff | Assigned To | => Bohdan |
| 2025-08-22 16:25 | Christian Grothoff | Status | new => feedback |
