From 16caf82f75c4be494b4e3225c87a521d02c51d8e Mon Sep 17 00:00:00 2001
From: Tristan Toye <tristan@careerjsm.com>
Date: Wed, 27 May 2020 21:15:22 -0400
Subject: [PATCH 1/2] Clarify Calling HTTP_ header in example

In trying to track down a bug here turns out I was trying to reference the wrong header shown in the readme.

Printing our `request.env` it becomes clear this is just the full request object:

```
{"rack.version"=>[1, 3],
 "rack.errors"=>#<IO:<STDERR>>,
 "rack.multithread"=>true,
 "rack.multiprocess"=>false,
 "rack.run_once"=>false,
 "SCRIPT_NAME"=>"",
 "QUERY_STRING"=>"",
 "SERVER_PROTOCOL"=>"HTTP/1.1",
 "SERVER_SOFTWARE"=>"puma 4.3.5 Mysterious Traveller",
 "GATEWAY_INTERFACE"=>"CGI/1.2",
 "REQUEST_METHOD"=>"POST",
 "REQUEST_PATH"=>"/api/v1/....",
 "REQUEST_URI"=>"/api/v1/...",
 "HTTP_VERSION"=>"HTTP/1.1",
 "HTTP_HOST"=>"example.com",
 "HTTP_APIKEY"=>"secret_key",
 "CONTENT_TYPE"=>"application/json",
 "HTTP_USER_AGENT"=>"PostmanRuntime/7.25.0",
 "HTTP_ACCEPT"=>"*/*",
 "HTTP_CACHE_CONTROL"=>"no-cache",
...
```
---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 86d1fad2..c8b8c045 100644
--- a/README.md
+++ b/README.md
@@ -135,7 +135,7 @@ E.g.
 # Provided that trusted users use an HTTP request header named APIKey
 Rack::Attack.safelist("mark any authenticated access safe") do |request|
   # Requests are allowed if the return value is truthy
-  request.env["APIKey"] == "secret-string"
+  request.env["HTTP_APIKey"] == "secret-string"
 end
 
 # Always allow requests from localhost

From abd9aa2d40b82a723c74bb333f0462b428a93b9e Mon Sep 17 00:00:00 2001
From: Tristan Toye <tristan@careerjsm.com>
Date: Wed, 27 May 2020 21:20:57 -0400
Subject: [PATCH 2/2] Update README.md

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index c8b8c045..f08c44cf 100644
--- a/README.md
+++ b/README.md
@@ -135,7 +135,7 @@ E.g.
 # Provided that trusted users use an HTTP request header named APIKey
 Rack::Attack.safelist("mark any authenticated access safe") do |request|
   # Requests are allowed if the return value is truthy
-  request.env["HTTP_APIKey"] == "secret-string"
+  request.env["HTTP_APIKEY"] == "secret-string"
 end
 
 # Always allow requests from localhost