Request Validation header: documentation conflicts

Anita · July 3, 2022, 3:48am

In your documentation you have " you can use the X-Snipcart-RequestToken header."

When looking at a webhook request log it shows a header called `X-Snipcart-RequestToken’.

However, when I examine the request using ngrok I see a header like this:

X-Snipcart-Requesttoken	252e5ce5-7450-4ab4-bcda-57f1e7f6a51d

I also found references to X-Snipcart-Requesttoken in the support forum.

The Webhook log is particularly confusing, as I would assume that those headers came from the request and were not hardcoded.

Can you clarify the header name, and if necessary, correct the documentation.

Many thanks,
Anita

Anita · July 3, 2022, 4:12am

Extra question: is the X-Snipcart-Request[T|t]oken header sent in Test mode?

I am testing validation in Test mode and when I print the headers I get

{
 "X-Frame-Options" => "SAMEORIGIN",
 "X-XSS-Protection" => "1; mode=block",
 "X-Content-Type-Options" => "nosniff",
 "X-Download-Options" => "noopen",
 "X-Permitted-Cross-Domain-Policies" => "none",
 "Referrer-Policy" => "strict-origin-when-cross-origin"
}

I think I must be looking at the wrong headersl

Anita · July 3, 2022, 5:23am

NVM. Headers are not case sensitive. Other problems resolved too.

jpsirois · July 5, 2022, 7:48pm

Hi @Anita,

Just to be sure, did you resolved all your problems?

In case you need more info about this, we have a bit more information about this header in our documentation here.

I hope this helps, and do not hesitate to let us know if you have any other questions!

Anita · July 11, 2022, 3:32am

No in the end I did not get request validation working. I’ve read the doc and I think I understand the process, but I consistently fail request validation.

So, some questions to help me move ahead.

Does request validation work in test mode?
How long is a validation token valid?
When testing (using ngrok/postman) can I reuse a token, or do I need to send a new request every time?

thanks
Anita