Securing your webhook
After you created your webhook, you received a shared secret which is a random 32 character hexadecimal string. If you did not save it, you can update the webhook and request a regeneration of the shared secret.
The request body + timestamp will be signed with that very shared secret using the algorithm HMAC SHA-512.
The hex-digest will be sent with every request in the X-Fiberplane-Signature
header. The format of the header is v1=[signature]
.
Keep in mind that this shared secret approach only protects against a third-party sending a fake payload in the name of Fiberplane to your endpoint. It does not ensure secrecy. If you want to ensure secrecy, we strongly recommend using HTTPS for your payload handling server. Please note that your certificate must be trusted by the Mozilla Trust Store and cannot be self-signed.
Python example
We can extend our server from the previous chapter to verify the signature:
Now we will check every incoming request for a matching signature found in the X-Fiberplane-Signature
header.
If the verification fails, we will respond with status code 401.