Help desk software with unlimited agents starts at $99.  Learn More

simple support ticket system

Webhook Security

Updated on : September 7, 2022

The URL for the webhook is publicly available and can be easily accessed by attackers. So, it is critical to ensure that the request is coming from a known sender. An attacker could intercept the webhook request and tamper with their own data if this verification is not performed. Several options are provided for securing webhook data.

Webhook endpoints

The webhook request is the same as any other HTTP request, which is a plain-text protocol. So, the data is in readable format during the webhook request. Attackers can easily intercept these messages and steal sensitive data such as user information.

You can secure webhook data by using an HTTPS URL which ensures that all data sent is encrypted and unreadable.

It supports only HTTPS URLs where data will be sent when a webhook is triggered.

Note: A webhook will not be triggered in local environments such as localhost.

Webhook authentication

You should enable authentication when creating a webhook to send the webhook data securely and verify whether it is sent from the BoldDesk or not. Even though it is optional, you are strongly advised to enable the authentication.

The following are the two methods for authenticating the webhook URL.

  • Password

When creating a webhook, you can use password authentication (Basic Auth) to provide the username and password. The credentials (Username:Password) will be Base64 encoded and sent in the Authorization header (Authorization: Basic <Credential>).

  • API Key

When creating a webhook, users can use API authentication (Basic Auth) to provide the API Key. The API key will be Base64 encoded and sent in the Authorization header (Authorization: Basic <API Key>).

Webhook Signing

When creating a webhook, you can use request signature authentication to provide the secret key. This secret key is used to sign the payload (HMAC-SHA256), generate a Base64 encoded signature, and send it in the header (x-signature). This can be used to validate the payload’s integrity at the receiver end (X-Signature: <Signature>).

Was this article helpful?

    Live Chat Icon