How to securely send webhooks?

Before sending webhooks securely, try sending your first webhook by following getting started to ensure familiarity. This guide takes a step further in improving security.

Why sending webhooks by following getting started isn’t secure?

Getting started guide is a great way to test and understand the basic concepts. It doesn’t describe how to create an endpoint. Once an endpoint is created, a secret is generated which is supposed to be shared with the endpoint owner who is responsible for processing the webhook.

How does creating an endpoint improve security?

Creating an endpoint establishes a secret which is only shared with the endpoint owner. This secret is used to generate HMAC signature. The receiver can process the body along with the headers and the secret to establish whether the webhook was tampered with as described in the guide to verify HMAC signature.

How to create an endpoint?

Go to Endpoints menu using the left side bar and click on Create Endpoint.

Create endpoint screenshot

After the form is submitted, the newly created endpoint is shown with the signature secret. Share this securely with the endpoint owner.

Create endpoint screenshot

Now, when a webhook is sent again, an additional header X-Nirah-Signature is appended. Note: this header can be modified while creating the project to have a custom name instead of Nirah.

The header looks like this:

X-Nirah-Signature: t;1694198234969,sig;QmVmb3Jlc2VuZGluZ3dlYmhvb2tzc2VjdXJlbHk=,sig;QmVmb3Jlc2VuZGluZ3dlYmhvb2tzc2VjdXJlbHk=

For more details on how the receiver or the endpoint owner can verify webhooks, refer to How to verify HMAC signature.