From 59231739a26c525b34a2526b91fe8f49a575d257 Mon Sep 17 00:00:00 2001 From: Nick <24428341+nimec01@users.noreply.github.com> Date: Sat, 30 Sep 2023 13:23:42 +0200 Subject: [PATCH] fix spelling --- docs/WEBHOOK_SECRET.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/WEBHOOK_SECRET.md b/docs/WEBHOOK_SECRET.md index fd0982df..b8929bc4 100644 --- a/docs/WEBHOOK_SECRET.md +++ b/docs/WEBHOOK_SECRET.md @@ -2,11 +2,11 @@ ## How does the signing work? -Pi.Alert will use the configured secret to create a hash signature of the requests body. This SHA256-HMAC signature will appear in the `X-Webhook-Signature` header of each request to the webhook target URL. You can use the value of this header to validate the request was sent by Pi.Alert. +Pi.Alert will use the configured secret to create a hash signature of the request body. This SHA256-HMAC signature will appear in the `X-Webhook-Signature` header of each request to the webhook target URL. You can use the value of this header to validate the request was sent by Pi.Alert. ## Activating webhook signatures -All you need to do in order to add a signature to the requests headers is to set the `WEBHOOK_SECRET` config value to a non-empty string. +All you need to do in order to add a signature to the request headers is to set the `WEBHOOK_SECRET` config value to a non-empty string. ## Validating webhook deliveries @@ -15,11 +15,11 @@ There are a few things to keep in mind when validating the webhook delivery: - Pi.Alert uses an HMAC hex digest to compute the hash - The signature in the `X-Webhook-Signature` header always starts with `sha256=` - The hash signature is generated using the configured `WEBHOOK_SECRET` and the request body. -- Never use a plain `==` operator. Instead consider using a method like [`secure_compare`](https://www.rubydoc.info/gems/rack/Rack%2FUtils:secure_compare) or [`crypto.timingSafeEqual`](https://nodejs.org/api/crypto.html#cryptotimingsafeequala-b), which performs a "constant time" string comparison to help mitigate certain timing attacks against regular equality operators, or regular loops in JIT-optimized languages. +- Never use a plain `==` operator. Instead, consider using a method like [`secure_compare`](https://www.rubydoc.info/gems/rack/Rack%2FUtils:secure_compare) or [`crypto.timingSafeEqual`](https://nodejs.org/api/crypto.html#cryptotimingsafeequala-b), which performs a "constant time" string comparison to help mitigate certain timing attacks against regular equality operators, or regular loops in JIT-optimized languages. ## Testing the webhook payload validation -You can use the following secret and request body to verify your implementation is working correctly. +You can use the following secret and payload to verify that your implementation is working correctly. `secret`: 'this is my secret' @@ -33,6 +33,6 @@ If your implementation is correct, the signature you generated should match the ## More information -If you want to learn more about webhook security, take a look at [Github's webhook documentation](https://docs.github.com/en/webhooks/about-webhooks). +If you want to learn more about webhook security, take a look at [GitHub's webhook documentation](https://docs.github.com/en/webhooks/about-webhooks). You can find examples for validating a webhook delivery [here](https://docs.github.com/en/webhooks/using-webhooks/validating-webhook-deliveries#examples).