Consuming Webhooks

About webhooks security

Webhooks are just HTTP requests to your web server. Anyone could craft them and trick your systems to do something as if they had received a valid webhook.

Hook0 provides solutions to protect you from several kinds of attacks:

  • Man-in-the-Middle (MITM) attacks
  • forged requests
  • replay attacks

MITM attacks

Problem: One could intercept network packets of a webhook call and gain access to your data.

Solution: Always use a https:// URL when specifying a webhook subscription target, so that data is encrypted using TLS. Also, double-check that this URL points to an app you own.

Forged requests

Problem: Knowing your subscription URL, anyone could sent it fake data as if it was coming from Hook0.

Solution: Hook0 includes a signature header in every webhook call. This header is a HMAC-SHA-256 signature of the payload. It uses a secret key that was attributed to you when you created your webhook subscription. If you app verifies webhook signatures before processing them, no one can forge fake webhooks anymore.

Replay attacks

Problem: Even if you verify incoming webhooks, one could resend the exact same requests multiple times. This could generate functional issues or simply put a lot of useless load on you systems (denial of service).

Solution part 1: The best solution to this is to ensure that the way you handle webhooks is idempotent. This means that receiving multiple times the same webhook will end up having the same result as receiving it once. For example, you could use a database to write down the event ID (provided by Hook0 in the X-Event-Id header) and only process requests that contain an event ID that is not in the database.

Solution part 2: Hook0 includes a timestamp in the signature header, and the signature itself is computed from both the timestamp and the payload (so that the timestamp cannot be altered). Your app should check that this timestamp is not too old (allowing up to 5 minutes is a good idea). This way, you do not have to worry about anyone replaying old webhooks, which means you do not have to retain event IDs more that 5 minutes while enforcing idempotence.