hey @twittersecurity – just reviewing https://dev.twitter.com/webhooks/securing … – shouldn’t the HMAC’ed message include the requested URL to prevent MITM?
-
-
yeah, that’s good hygiene. In this case since it’s really just endpoint verification, I think URL is enough?
-
It's hard to say. I think they are just trying to prove proof of possession of the HMAC key by the other end. If you can respond at
$url and -
you don't have the HMAC key, you're not the authorized app, otherwise you are. Allows different apps to share an origin, I guess.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.