X-Hook-Signature not calculated
PieterHartzer opened this issue · comments
Starling provides a X-Hook-Signature in the header to confirm that the request is actually from Starling. It doesn't appear to be used which could lead to anyone posting data to the endpoint.
Starling docs -> Webhooks
Correct, but by choice.
We implemented a simpler version of this so that it works across multiple providers consistently.
https://github.com/fintech-to-ynab/fintech-to-ynab/wiki/Getting-Started#url-secret-optional