Loading Profile...
Help get this topic noticed by sharing it on
Twitter,
Facebook, or email.
Twitter,
Facebook, or email.
I’m
confused
How to check if HTTP POST came from SendGrid servers?
Is there a way to know for sure that HTTP POST sent by SendGrid for each incoming email is genuinely sent from SendGrid servers, and not some other, potentially malicious, server?
-
EMPLOYEE
2you can use https & basic auth in your event url.
so if your event url looked like this:
https://username:password@example.com...
& you had the username & password setup in your server's htpasswd (or equivalent). all event posts to your site would be as secure as the password. Be sure to check your logs to make sure events are still being accepted after making the changeComment -
-
I’m
thankful
Thanks, that's good idea. -
-
Hey David, any other solutions in case your server does not have htpasswd or equivalent? I.e. Google App Engine -
-
EMPLOYEE
1I'm not usually a fan of security through obscurity, but something like this:
https://example.com/some/really/long/...
should be sufficient if you're looking keep random people from posting events. Assuming of course the path isn't published or linked to from anywhere.
Is this a real problem people are seeing, or is this only to stop a theoretical attack? If this is a real problem, I can put in a feature request to either use client certificates or cryptographically sign the posted parameters. It would provide strong verification that the post came from us, but would be more work on your side to setup/verify the message-
Thanks David. I was thinking of this as a preventive measure.
-
-
-
-
-
Hi David, but it seems that you doesn't support basic auth. We tried it and we always had got 401 response, because there isn't provided username and password.
We asked support about this, and they answered "We do not presently support the standard basic auth protocol...", is it true? -
-
The people in support are right, the http client we're using is pretty stripped down and doesn't support http auth or SSL. Sorry for the bad info.
-
-
You need to do a hmac sig header. Again, bad security from sendgrid. -
-
Any updates on this? What methods are the people using to verify if the POST came from sendgrid? The method described in first post is not possible because sendgrid generates the url and doesn't pass the authentication details, or am I missing something. -
-
Filter by ip. Allow request only for sendgrid ip-s.
-
-
Do we have a list of ip-s?
Also there would be issues in case new machines are added. We should receive notification from sendgrid in that case so that we can keep the list updated. -
-
My ip list:
50.22.57.66
50.22.57.67
50.22.57.68
50.22.57.69
50.22.57.70
Response from support:
"These IPs should be fine to allow posting. Let me know if you run into any problems where the information is not getting through."
Next my question:
"So if I get it right this list of IPs should not be changed unexpectedly in future. Can I expect a warning beforehand if you'll going to make any changes to this list?"
Response:
"These should not change anytime soon.
If you run into any problems with posting, please contact us and let us know."
That's all... -
-
Supporting the basic auth protocol would really help. We have a testing environment that is not public and is protected by basic auth. It would make testing much easier if we could include basic auth credentials in the callback url.
The documentation also incorrectly states that it is supported. See the note halfway down the page: http://docs.sendgrid.com/documentatio... -
-
I’m
frustrated
Glad I found this thread - I've been racking my brain over here for the last few hours wondering why the HTTP Auth params I've been sending in my event notification URL aren't being sent back to me right.
The most frustrating part is not necessarily that it's not there, but more that the documentation says it is, when apparently it's not. Having this feature would be a very big value-add for us. -
-
To clarify this after extensive testing on my part:
At this time, we do not support HTTP Authorization, though we do support HTTPS connections. -
EMPLOYEE
