Securing Webhooks

It is highly recommended that you secure your webhooks.

In Shipped Suite Admin, select "Administration -> Webhooks", then click on the "Edit Webhook Secret" button. Provide us with a randomly generated secret string that is available to your webhook handler.

We will use this secret to generate a SHA256 HMAC that we will include in the webhook header (X_SHIPPED_SUITE_HMAC_SHA256). You can verify the authenticity of webhooks by verifying the HMAC signature.

🚧

Reject unverifiable webhooks

Make sure to verify the authenticity of all webhooks, and refuse to process any webhooks which you cannot verify.

Example verification in ruby:

secret = "thisismytopsecretwebhooksecretthatienteredintoshippedsuiteadmin"
shipped_suite_hmac = request.headers['HTTP_X_SHIPPED_SUITE_HMAC_SHA256']
data = request.raw_post

calculated_hmac = Base64.strict_encode64(OpenSSL::HMAC.digest('sha256', secret, data))
ActiveSupport::SecurityUtils.secure_compare(calculated_hmac, shipped_suite_hmac)