Webhook Security

The URL for the webhook is publicly available and can be easily accessed by attackers. So, it is critical to ensure that the request is coming from a known sender. An attacker could intercept the webhook request and tamper with their own data if this verification is not performed. Several options are provided for securing webhook data.

Webhook endpoints

The webhook request is the same as any other HTTP request, which is a plain-text protocol. So, the data is in readable format during the webhook request. Attackers can easily intercept these messages and steal sensitive data such as user information.

You can secure webhook data by using an HTTPS URL which ensures that all data sent is encrypted and unreadable.

It supports only HTTPS URLs where data will be sent when a webhook is triggered.

Webhook authentication

You should enable authentication when creating a webhook to send the webhook data securely and verify whether it is sent from the BoldDesk or not. Even though it is optional, you are strongly advised to enable the authentication.

The following are the two methods for authenticating the webhook URL.

• Password
  When creating a webhook, you can use password authentication (Basic Auth) to provide the username and password. The credentials (Username:Password) will be Base64 encoded and sent in the Authorization header (Authorization: Basic <Credential>)

• API Key
  When creating a webhook, users can use API authentication (Basic Auth) to provide the API Key. The API key will be Base64 encoded and sent in the Authorization header (Authorization: Basic <API Key>).

Webhook Signing

Webhook Signing webhook, you can use request signature authentication to provide the secret key. This secret key is used to sign the payload (HMAC-SHA256), generate a Base64 encoded signature, and send it in the header (x-signature). This can be used to validate the payload’s integrity at the receiver end (X-Signature: <Signature>).