Webhook Security

Here's a code snippet

TypeScript

  const signature = req.headers['x-appwrite-webhook-signature'];
  
  if (!signature) {
      return res.json({ error: "Bad signature request" });
  }
  // Create expected signature
  const expectedSignature = crypto.createHmac('sha1', process.env.WEBHOOK_SIG_KEY)
      .update(`${process.env.WEBHOOK_ENDPOINT}${JSON.stringify(payload)}`)
      .digest('base64');

  // Securely compare the signatures
  if (!crypto.timingSafeEqual(Buffer.from(expectedSignature, 'base64'), Buffer.from(signature, 'base64'))) 
  {
      return res.json({ error: "Unauthorized" });
  }...```

Is this enough to keep my webhook secure?

TL;DR

Code snippet provided shows how a developer is verifying the authenticity of a webhook message in Node.js by comparing signatures. It includes comparing expected and actual signatures using `crypto.timingSafeEqual`. This approach is secure, given proper implementation of `WEBHOOK_SIG_KEY`.

Reply to this thread by joining our Discord

Reply on Discord

Need support?

Join our Discord

Get community support by joining our Discord server.

Join Discord

Get premium support

Join Appwrite Pro and get email support from our team.

Learn more

Recommended threads

Need support?

Join our Discord

Get premium support