Securing Webhooks

Webhooks are a powerful tool for enabling real-time communication between different systems. However, ensuring the security of webhook endpoints is crucial to prevent unauthorized access and data breaches. This document outlines best practices for securing webhook endpoints.

Use HTTPS

Always ensure that webhook endpoints are accessible via HTTPS. HTTPS encrypts the data transmitted between the webhook provider and your server, preventing man-in-the-middle attacks and unauthorized interception of data.

Authentication

Implement robust authentication mechanisms to ensure that only authorized parties can access your webhook endpoints. This could include using API keys, OAuth tokens, or other forms of authentication. Verify the authenticity of incoming requests using these credentials.

tip

It is recommended to use custom headers to pass authentication tokens or other sensitive information instead of query parameters.

Custom Headers

Field Nation Webhook allows you to add custom headers to your webhook configuration. You can use these headers to pass authentication tokens or other information required to validate incoming requests. They are stored encrypted in the database.

Custom headers can be added in the advanced configuration section when creating a webhook. Headers can not start with x-fn- as it is reserved for Field Nation headers.

Validate Incoming Requests

Validate incoming webhook requests to ensure they are coming from trusted sources. This could involve verifying signatures or tokens provided by the webhook provider.

Field Nation Webhook provides a x-fn-signature header in the request, which is a hash generated using webhook secret and the HTTP request body. You can use this hash to verify the authenticity of the request.

warning

Following the code snippets are provided for demonstration purposes only. Do not use them directly in your production environment

Javascript

const { createHmac, timingSafeEqual } = require('crypto');

const [algorithm, requestSignature] = request.headers['x-fn-signature'].split('=');

const validationSignature = createHmac(algorithm, process.env.WEBHOOK_SECRET)
  .update(request.body)
  .digest('hex');

if (!timingSafeEqual(Buffer.from(validationSignature), Buffer.from(requestSignature))) {
  // Request is not valid
}
// Request is valid

PHP

[$algorithm, $requestSignature] = explode('=', $_SERVER['x-fn-signature']);

$validationSignature = hash_hmac(
  $algorithm,
  file_get_contents('php://input'),
  $_ENV['WEBHOOK_SECRET']
);

if (!hash_equals($validationSignature, $requestSignature)) {
  // Request is not valid
}
// Request is valid

Python

import os
import hmac
import hashlib

algorithm, requestSignature = request.headers['x-fn-signature'].split('=')

validationSignature = hmac.new(
  os.environ.get('WEBHOOK_SECRET').encode(),
  msg = request.body,
  digestmod = algorithm
).hexdigest()

if not hmac.compare_digest(validationSignature, requestSignature):
  # Request is not valid
else:
  # Request is valid

IP Whitelisting

Restrict access to your webhook endpoints by whitelisting IP addresses. Only allow requests from trusted IP addresses associated with the webhook provider.

Field Nation Webhook sends requests from the following IP addresses:

Sandbox

44.225.211.232
44.237.253.26

Production

3.226.5.230
34.198.172.230