Edit on GitHub

Best practices for Plugins on Mattermost

How should plugins serve publicly available static files? 

Add all static files under a file directory named public within the plugin directory, and include the files in the plugin bundle using the Makefile.

How can plugins make sure http requests are authentic? 

Plugins can implement the ServeHTTP to listen to http requests. This can e.g. be used to receive post action requests when Interactive Messages Buttons and Menus are triggered by users. Since these requests are just http requests, anyone can send them to the plugin. Hence the plugin must make sure the requests are authentic. The Mattermost Server sets the http header Mattermost-User-Id if and only if the request is made by an authenticated client. The plugin therefore has to only check if this header is set and reject all other requests.

Did you find what you were looking for?

Thank you! We appreciate your feedback.

Tell us more

Your feedback helps us improve the Mattermost developer documentation.

Have a feature request? Share it here.

Having issues? Join our Community server.