Securing your webhooks

Summary

Webhooks are a great way to get real-time updates from Flourish into your third-party applications. However, it requires having an open HTTP endpoint waiting to receive updates from Flourish.

This presents a security concern:

How do you ensure that requests received by this endpoint are legitimate requests initiated by Flourish and how do you ensure the data has not been manipulated in any way?

Flourish provides a simple way to secure your webhooks by adding an optional signature header to all requests.

How do I set it up?

When a webhook is configured, you now have the option to provide a signing key to validate the requests are coming from Flourish.

Once the webhook configuration is saved, the signing key will be hidden from view. However, you will have the option to update.

Make sure to save the signing key provided to be able to compare.

How do I validate?

Each request must be validated individually. Remember the Signing Key that was provided in the webhook config?

Flourish uses it to create a hash signature with each payload. This hash signature is included with the headers of each request as Auth-Signature.

In order to validate, create a hash signature using the SHA256 algorithm of the ENTIRE payload (request body) using the signing key provided.

Compare the output to the value stored under the Header Auth-Signature.


How did we do?