Document queue-worker callback URL whitelist#433
AI Code Review Results
AI Pull Request Overview
Disclaimer: This review was generated by automated AI and may contain errors. Do not trust its outputs without human verification.
Summary
- Documents the new async callback URL restriction from the async reference page.
- Adds a cross-link from the JetStream page to the new callback URL restriction section.
- The changed content is documentation-only.
- The new examples are concise and use the existing Helm values style.
- One publish-quality issue remains around edition/scope clarity for readers using non-Pro queue-workers.
Approval rating (1-10)
7/10. Useful documentation addition, but the async reference should make the Pro/Enterprise scope explicit before merge.
Summary per file
Summary per file
| File path | Summary |
|---|---|
| docs/reference/async.md | Adds callback URL allow-list guidance and examples; promotes async subheadings. |
| docs/openfaas-pro/jetstream.md | Adds a short callback URL restriction section linking to async docs. |
Overall Assessment
The PR adds reader-facing documentation for restricting async callback destinations and places it in the right conceptual area. The main gap is that the general async reference now recommends a queueWorkerPro setting without clearly saying this feature/configuration is for the Pro/Enterprise queue-worker path. That can send CE readers toward a Helm value that may not apply to their installation.
Detailed Review
Detailed Review
Findings
| Severity | File | Issue |
|---|---|---|
| Medium | docs/reference/async.md:91 |
The new guidance is in the general async reference and recommends queueWorkerPro.allowedCallbackURLs, but it does not state that this is a Pro/Enterprise queue-worker configuration. The page already distinguishes CE/Pro behavior elsewhere, and CE users reading the production recommendation at line 57 may assume this is available in their deployment. Add a short scope sentence before the values snippet, for example: For OpenFaaS Pro and Enterprise installations using the Pro queue-worker, configure this with queueWorkerPro.allowedCallbackURLs in the OpenFaaS Helm chart. If CE also supports this, use the CE values key instead or document both keys explicitly. |
Content review
No blocking findings beyond the scope clarity issue above.
The title and PR description match the documentation changes: both files focus on callback URL restrictions for async processing.
The opening pointer in docs/reference/async.md gives readers an early security cue before showing callback examples, which is the right placement.
The examples are short enough to be usable, but the section would be clearer if the first sentence established the product edition before introducing the Helm key.
The JetStream addition is appropriately brief and works as a navigation aid rather than duplicating the async reference content.
AI agent details.
Agent processing time: 2m36.843s
Environment preparation time: 12.135s
Total time from webhook: 2m57.637s