It is highly recommended that you secure your webhooks.
In Shipped Suite Admin, select "Administration -> Webhooks", then click on the "Edit Webhook Secret" button. Provide us with a randomly generated secret string that is available to your webhook handler.
We will use this secret to generate a SHA256 HMAC that we will include in the webhook header (
X_SHIPPED_SUITE_HMAC_SHA256). You can verify the authenticity of webhooks by verifying the HMAC signature.
Reject unverifiable webhooks
Make sure to verify the authenticity of all webhooks, and refuse to process any webhooks which you cannot verify.
Example verification in ruby:
secret = "thisismytopsecretwebhooksecretthatienteredintoshippedsuiteadmin" shipped_suite_hmac = request.headers['HTTP_X_SHIPPED_SUITE_HMAC_SHA256'] data = request.raw_post calculated_hmac = Base64.strict_encode64(OpenSSL::HMAC.digest('sha256', secret, data)) ActiveSupport::SecurityUtils.secure_compare(calculated_hmac, shipped_suite_hmac)
Updated 12 months ago