sneak/webhooker
1
0
Fork 0
Code Issues 4 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix: restrict webhook endpoint to POST only (closes #20)

Browse Source 
Add method check at the top of HandleWebhook, returning 405 Method Not
Allowed with an Allow: POST header for any non-POST request. This
prevents GET, PUT, DELETE, etc. from being accepted at entrypoint URLs.
This commit is contained in:
clawbot
2026-03-01 16:35:38 -08:00
parent 49ab1a6147
commit e2ac30287b
2 changed files with 10 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
internal/handlers/webhook.go
View File

@@ -15,8 +15,15 @@ const (
)
// HandleWebhook handles incoming webhook requests at entrypoint URLs.
// Only POST requests are accepted; all other methods return 405 Method Not Allowed.
func (h *Handlers) HandleWebhook() http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodPost {
w.Header().Set("Allow", "POST")
http.Error(w, "Method Not Allowed", http.StatusMethodNotAllowed)
return
}
entrypointUUID := chi.URLParam(r, "uuid")
if entrypointUUID == "" {
http.NotFound(w, r)