🧙‍♂️Webhook Wizard
Recent Posts

    Implementing webhook delivery retry to improve reliability

    5 tips for webhook reliability

    Sending a webhook to multiple places

    The Art of Webhook Message Structure: Tips and Techniques for Crafting Effective Webhook Messages

    How to Secure Webhook Messages

    Navigating JSON with JSON Path: A Quick Guide to Extracting Data from JSON Documents

    Webhooks: The Ultimate Tool for Automation, notifications and data synchronization

    Using Redis as a Webhook Queue

    Sending Webhooks in Go

    Sending Webhooks in Python

    Transforming webhook messages with no code

    Efficient Webhook Processing with Redis as a Queue in Go

    Debugging Discord webhooks: a step-by-step guide

    Sending Webhooks with Bubble

    Reliable Webhook Delivery

    How to Debug Webhooks

    How to log Webhooks without any code

How to Secure Webhook Messages

May 31, 2022

When working with webhooks its sometimes hard to know how to best secure it. If your sending sensitive data or if you are making sensitive desisions based on the message you need to know your data is safe and can be trusted.

This can be made even more difficuilt if you are sending webhooks to different people who have different needs or levels of sophistication.

This article will guide you through the different options and help you work out what fits your needs best.

Webhook Security

Transport encryption and https

When sending sensitive webhook messages its important to use transport encryption to make sure the messages cannot be read by anyone else. This usually means using https. Sometimes people use another layer of encryption for extra protection, but they often forget to think about key exchange and key rotation both of which are handled very well by https. Encryption doesnt need to be authentication and they are better treated seperately.

Passwords or API Keys

Passwords, either as API keys or http basic authentication are both forms of authentication where the secret is sent along with the message. These are simple to check, but they are vulnerable to repeat attacks. If the password is ever leaked someone else can re-use the password to send new messages. If you trust the transport encryption these are ok, but signatures are better.


Message signatures are made with a hashing function, the message and the key. Each message gets a different signature. The signature is sent along with the message and the recipient re-calculates the it and checks that it matches the one that was sent. If it does not match they can discard it.

Signatures often include a timestamp so that if the same message is sent twice it the signature is different. This prevents replay attacks.

While signatures are harder to implement but more secure because the key is never sent.

Want Help?

If you would like to hear more about webhook wizard and how it can help you please subscribe to update.