sneak/webhooker
1
0
Fork 0
Code Issues 4 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix: restrict webhook endpoint to POST only (closes #20)

Browse Source 
Add method check at the top of HandleWebhook, returning 405 Method Not
Allowed with an Allow: POST header for any non-POST request. This
prevents GET, PUT, DELETE, etc. from being accepted at entrypoint URLs.
This commit is contained in:
clawbot
2026-03-01 16:35:38 -08:00
parent 49ab1a6147
commit e2ac30287b
2 changed files with 10 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
internal/server/routes.go
View File

@@ -109,6 +109,8 @@ func (s *Server) SetupRoutes() {
r.Post("/targets", s.h.HandleTargetCreate()) // Add target
})
// Entrypoint endpoint - accepts incoming webhook POST requests
// Entrypoint endpoint accepts incoming webhook POST requests only.
// Using HandleFunc so the handler itself can return 405 for non-POST
// methods (chi's Method routing returns 405 without Allow header).
s.router.HandleFunc("/webhook/{uuid}", s.h.HandleWebhook())
}