Open syntrydy opened 4 months ago
Hello! I'm interested in this topic, could I have it for myself? I have experience in this area
Sure... why not. I don't think it's a super high priority at Jans. @syntrydy could you explain what you mean by Require a specific response header for POST requests, unique to the customer.
Did you have a header in mind?
@nynymike
Before the source app sends an HTTP request via the webhook, it hashes the payload (request body) with HMAC using the secret key. The resulting hash is then bundled into the HTTP request as a header, and the entire request (header and body) is sent to the webhook endpoint.
Upon receiving the HTTP request, the destination app hashes the body with the secret key and then compares the result to the hash provided in the header. If the values match, the destination app knows the data is legit and processes it. If the values do not match, the destination app rejects the data and executes whatever code was written for that scenario — perhaps creating a log entry or sending a notification.
Description
Currently there is no security in webhook feature. The following should be check: