Why should subscribers return 2xx on invalid signatures? #102
Description
The Signature Validation section says
If the signature does not match, subscribers must still return a 2xx success response to acknowledge receipt, but locally ignore the message as invalid.
What is the reason for returning 2xx here as opposed to a 4xx code?
If we assume that properly configured hubs will always send a valid signature, then the only requests that will hit the callback URL with an invalid signature would be bad requests. Either an attacker or some other misconfigured hub. It would seem that 400 Bad Request would be a more appropriate response here.