How to Secure Webhook Messages

When working with webhooks its sometimes hard to know how to best secure it. If your sending sensitive data or if you are making sensitive desisions based on the message you need to know your data is safe and can be trusted.

This can be made even more difficuilt if you are sending webhooks to different people who have different needs or levels of sophistication.

This article will guide you through the different options and help you work out what fits your needs best.

Transport encryption and https

When sending sensitive webhook messages its important to use transport encryption to make sure the messages cannot be read by anyone else. This usually means using https. Sometimes people use another layer of encryption for extra protection, but they often forget to think about key exchange and key rotation both of which are handled very well by https. Encryption doesnt need to be authentication and they are better treated seperately.

Passwords or API Keys

Passwords, either as API keys or http basic authentication are both forms of authentication where the secret is sent along with the message. These are simple to check, but they are vulnerable to repeat attacks. If the password is ever leaked someone else can re-use the password to send new messages. If you trust the transport encryption these are ok, but signatures are better.

Signatures

Message signatures are made with a hashing function, the message and the key. Each message gets a different signature. The signature is sent along with the message and the recipient re-calculates the it and checks that it matches the one that was sent. If it does not match they can discard it.

Signatures often include a timestamp so that if the same message is sent twice it the signature is different. This prevents replay attacks.

While signatures are harder to implement but more secure because the key is never sent.

Want Help?

If you would like to hear more about webhook wizard and how it can help you please subscribe to update.