Add SendBlue webhook signature validation

Validates sb-signing-secret header against SENDBLUE_WEBHOOK_SECRET env var. Can be disabled with SENDBLUE_SIGNATURE_VALIDATION=false for development. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-06-03 19:28:35 -04:00
parent 20576cabf3
commit 1e753bfaab
2 changed files with 29 additions and 0 deletions
@@ -97,6 +97,9 @@ MAILGUN_SIGNATURE_VALIDATION=true
 SENDBLUE_API_KEY=your-sendblue-api-key
 SENDBLUE_API_SECRET=your-sendblue-api-secret
 SENDBLUE_FROM_NUMBER=+1XXXXXXXXXX
+SENDBLUE_WEBHOOK_SECRET=your-sendblue-webhook-secret
+# Set to false to disable SendBlue signature validation in development
+SENDBLUE_SIGNATURE_VALIDATION=true
 # Comma-separated list of iMessage numbers allowed to use the service (E.164 format)
 # Use * to allow any number
 ALLOWED_IMESSAGE_NUMBERS=