Signed webhook requests

[chatch]

As far as I can see there is no way to ensure that a webhook request is coming from docuseal? For example by verifying a signature of the request body. This would be a nice security add to harden the webhook system.

A couple of examples of using signatures in webhook requests can be seen in Github webhooks and Stripe webhooks.

In the meantime I'm considering:

• making a call to docuseal API from the webhook to verify the information in the request reflects the current state in the system
• adding some random characters to the webhook URL so it's very difficult to guess (eg. /docuseal/ogukyeldobes3) and thus send requests to

[AlexandrToorchyn]

Hi @chatch thank you for the suggestion, that's true that some services are using signatures as a second layer for webhooks authorization but i think a very small % of DocuSeal users will ever use/need it.

Many users are using Zapier/n8n to process webhooks and it's impossible to verify custom signature webhook payload there - an obfuscated webhook path protects it from the unauthorized access.

For the open-source selfhosted users it's much easier just to whitelist webhooks by IP of their hosted isntance if they want to add a second layer of authorization to their webhooks processing.

[chatch]

thanks @AlexandrToorchyn for the fast reply!

it's impossible to verify custom signature webhook payload there (zapier/n8n)

verifiication of a signature in a header would be completely optional. zapier flows could simply ignore the signature header. and most docuseal users would also ignore it and that's fine. but those that would like the extra level of verification could make use of it.

For the open-source selfhosted users it's much easier just to whitelist webhooks by IP of their hosted isntance if they want to add a second layer of authorization to their webhooks processing.

good point, we will consider doing this down the track .. for now we wanted to start with paid plan on the hosted service and will likely stick with that for 3 to 6 months at least but yes this would be a great option.

i think a very small % of DocuSeal users will ever use/need it.

sure, i guess this is the biggest factor given development effort required to add this.

if someone had time or resources to add this feature though would you be interested in a PR? not sure we do have the time right now! however it might be an option later ...