python/aiogram
1
0
Fork 0
mirror of https://github.com/aiogram/aiogram.git synced 2026-04-08 16:37:47 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

Document webhook proxy trust model (#47) (#1765)

Browse source
This commit is contained in:
Kostiantyn Kriuchkov 2026-02-15 20:24:15 +02:00 committed by GitHub
parent fa844fce59
commit e37eddbe8c
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 68 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

13
docs/dispatcher/webhook.rst
View file

@ -66,6 +66,19 @@ It can be acy using firewall rules or nginx configuration or middleware on appli
So, aiogram has an implementation of the IP filtering middleware for aiohttp.
`aiogram` IP filtering middleware reads the left-most IP address from `X-Forwarded-For`.
.. warning::
`X-Forwarded-For` is trustworthy only if all webhook traffic goes through a trusted reverse proxy that rewrites this header.
If your application is directly reachable from the Internet, this header can be forged.
For production deployments, use defense in depth:
- Always set and verify :code:`X-Telegram-Bot-Api-Secret-Token`
- Restrict network access to the webhook endpoint (firewall, security groups, ACL)
- Ensure the backend app is not publicly reachable and accepts requests only from the trusted proxy
.. autofunction:: aiogram.webhook.aiohttp_server.ip_filter_middleware
.. autoclass:: aiogram.webhook.security.IPFilter