Securing Webhooks

It is highly recommended that you secure your webhooks.

In Shipped Suite Admin, select "Administration -> Webhooks", then click on the "Edit Webhook Secret" button. Provide us with a randomly generated secret string that is available to your webhook handler.

We will use this secret to generate a SHA256 HMAC that we will include in the webhook header (X_SHIPPED_SUITE_HMAC_SHA256). You can verify the authenticity of webhooks by verifying the HMAC signature.


Reject unverifiable webhooks

Make sure to verify the authenticity of all webhooks, and refuse to process any webhooks which you cannot verify.

Example verification in ruby:

secret = "thisismytopsecretwebhooksecretthatienteredintoshippedsuiteadmin"
shipped_suite_hmac = request.headers['HTTP_X_SHIPPED_SUITE_HMAC_SHA256']
data = request.raw_post

calculated_hmac = Base64.strict_encode64(OpenSSL::HMAC.digest('sha256', secret, data))
ActiveSupport::SecurityUtils.secure_compare(calculated_hmac, shipped_suite_hmac)