Mohankrishna | 2024-08-01 09:29:40 UTC | #1
I see the user agent on the open messaging webhook's payload as "User-Agent": "undefined/591 (messaging-connector-open-outgoing-sqs-message)"
Is that good source of information to consider that the message is from authenticated source? (i.e. messaging-connector-open text?)
I understand user agent is also very thin. Are there any other better recommendations on this?
FYI, I understand the HMAC to verify but I would not want to process any data just because the header is available so thinking an additional level of restriction will save and hence this question.
Colum_Mullally | 2024-08-01 12:36:04 UTC | #2
Hello Mohankrishna,
User-Agent is not a recommended source of information and is likely to be fluid and change over time. HMAC is the only 100% accurate way to verify the source of the call but if you are looking for a light 2nd layer check that you could do. We do have an Ip range entry under https://developer.genesys.cloud/organization/utilities-apis#get-api-v2-ipranges but this should not be necessary if you are doing HMAC.
Hope this helps, Colum Mullally
Mohankrishna | 2024-08-02 04:28:03 UTC | #3
Thank you very much for sharing the details. I get details as below "service": "open-messaging" and IP CIDR. Very useful and I can utilize this.
Any recommended frequency to check for changes in the IP range? or will the same be notified as part of releases? (I do not see any notification/event published on change - if I am missed, please share)
system | 2024-09-01 04:28:17 UTC | #4
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.
This post was migrated from the old Developer Forum.
ref: 27520