Webhook Security Features
To ensure the security and integrity of the data transmitted via webhooks, our platform implements several key security features. These measures help to protect your endpoints from unauthorized access and ensure that all the payloads you receive are genuine and untampered with.
Generating Signed Requests
Our platform uses HMAC (Hash-Based Message Authentication Code) signatures to sign webhook requests. This allows you to verify the authenticity of the requests you receive. Each webhook request includes a signature and a timestamp, which are used to validate the request.
How We Generate Signatures
When our platform sends a webhook, it generates a signature using the payload and a secret key that we provide in the creation webhook process. This signature is included in the headers of the webhook request.
Request Headers
Each webhook request includes the following headers:
x-gmz-pep-webhook-signature: The HMAC SHA-256 signature of the payload.x-gmz-pep-webhook-timestamp: The timestamp when the request was generated.
Verifying Webhook Requests
To ensure the security of your webhook endpoint, you need to verify the signature included in each request. This involves:
- Extracting the signature and timestamp from the request headers.
- Re-generating the signature on your server using the received payload and your secret key.
- Comparing the generated signature with the signature from the request headers.
Example Verification Code (Node.js)
Here is an example of how you can verify webhook requests in a Node.js application using Express:
Show me the code!
const express = require('express');
const bodyParser = require('body-parser');
const crypto = require('crypto');
const app = express();
app.use(bodyParser.json());
const signatureKey = 'your_signature_key_here';
app.post('/webhook', (req, res) => {
const payload = req.body;
const receivedSignature = req.headers['x-gmz-pep-webhook-signature'];
const receivedTimestamp = req.headers['x-gmz-pep-webhook-timestamp'];
const generatedSignature = crypto
.createHmac('sha256', signatureKey)
.update(`${receivedTimestamp}.${JSON.stringify(payload)}`)
.digest('hex');
if (receivedSignature === generatedSignature) {
// The request is verified and can be processed
console.log('Received verified event:', payload);
res.sendStatus(202);
} else {
// The request is not verified
console.log('Signature verification failed');
res.sendStatus(401);
}
});
app.listen(3000, () => {
console.log('Webhook listener running on port 3000');
});
Best Practices for Securing Webhooks
To further enhance the security of your webhook implementation, consider the following best practices:
Use HTTPS
Always use HTTPS for your webhook endpoints to ensure that the data transmitted between our platform and your server is encrypted.
Validate the Timestamp
Ensure that the timestamp included in the request headers is recent. This helps prevent replay attacks where an attacker might attempt to resend a previously intercepted requests.
IP Whitelisting
If possible, restrict access to your webhook endpoint to only allow requests from our platform's IP addresses.
Logging and Monitoring
Keep logs of the received webhook requests and monitor for any unusual activity. This can help you detect and respond to potential security incidents.
Ensure Your API Response is as Fast as Possible
To prevent delays, your API should minimize response times and close the communication channel promptly after receiving the payload from your system.