Security [SOLVED]: How to ensure that webhook is receiving data from desired data source and not third party?

Security [SOLVED]: How to ensure that webhook is receiving data from desired data source and not third party?

Home Forums Security Security [SOLVED]: How to ensure that webhook is receiving data from desired data source and not third party?

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #36734

    Anonymous

    QuestionQuestion

    I’m currently building out an application that utilizes Shippo’s webhooks functionality, but wondering if it’s possible to ensure that the HTTP POST requests are coming from Shippo’s servers rather than some malicious third party.

    Adding a webhook to Shippo:
    https://shippo-static.s3.amazonaws.com/img/illustrations/webhooks.png

    When recieving HTTP requests, it appears as though Shippo doesn’t provide a key or anything that I can use on my end to verify that the request came from shippo themselves. Is there any way that I would be able to retroactively and securely ensure that the request came from Shippo’s servers?

    Sample headers:

    User-Agent: python-requests/2.9.1

    Via: 1.1 vegur

    Accept: /

    Connection: close

    Content-Length: 2203

    Total-Route-Time: 0

    Cf-Connecting-Ip: 54.87.248.176

    Cf-Ipcountry: US

    X-Request-Id: cec0a1aa-6a1a-47e9-ac9d-c685a893591d

    Cf-Ray: 3d0718455e149fea-IAD

    Connect-Time: 1

    Accept-Encoding: gzip

    Host: requestb.in

    Shippo-Api-Version: 2017-08-01

    Cf-Visitor: {“scheme”:”https”}

    Content-Type: application/json

    Sample JSON Response:
    https://goshippo.com/docs/tracking

    #36735

    Anonymous

    Accepted AnswerAnswer

    You need to do two things:

    1. Have your webhook include some sort of token, i.e. have shippo call https://yourapp.com/webhookroute/?secure_token=123abc. Parse and check the token server side. Can add multiple tokens, i.e. https://yourapp.com/webhookroute/?secure_token_1=123abc&secure_token_2=456def
    2. Use SSL/TLS certs when deploying your app, which will encrypt the URL/tokens when shippo sends the webhook. Make sure the webhook calls https:// [rest of url], not http://. This will hide the tokens from the rest of the internet.

    If the tokens are set as env vars server side, this should be secure.

    Source: https://stackoverflow.com/questions/47917733/how-to-ensure-that-webhook-is-receiving-data-from-desired-data-source-and-not-th
    Author: ahoang18
    Creative Commons License
    This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.