Why sending webhooks by following getting started isn’t secure?
Getting started guide is a great way to test and understand the basic concepts. It doesn’t describe how to create an endpoint. Once an endpoint is created, a secret is generated which is supposed to be shared with the endpoint owner who is responsible for processing the webhook.
How does creating an endpoint improve security?
Creating an endpoint establishes a secret which is only shared with the endpoint owner. This secret is used to generate HMAC signature. The receiver can process the body along with the headers and the secret to establish whether the webhook was tampered with as described in the guide to verify HMAC signature.
How to create an endpoint?
Go to Endpoints menu using the left side bar and click on Create Endpoint.
After the form is submitted, the newly created endpoint is shown with the signature secret. Share this securely with the endpoint owner.
Now, when a webhook is sent again, an additional header
is appended. Note: this header can be modified while creating the project to
have a custom name instead of Nirah.
The header looks like this:
For more details on how the receiver or the endpoint owner can verify webhooks, refer to How to verify HMAC signature.