Webhook Signature Verification Guide
Introduction
This guide outlines how to verify the authenticity of webhook requests sent from Ninjahire’s platform to your systems. Webhook requests include a cryptographic signature to ensure the integrity and authenticity of the data received. By verifying the signature, you can be confident that the data has not been tampered with and originates from Ninjahire.
Table of Contents
- Overview
- Signature Structure
- Verifying the Signature
- Example Code for Signature Verification
- Additional Security Tips
1. Overview
Each webhook request from Ninjahire includes:
- Payload: The actual data being sent.
- Headers: Including a cryptographic signature (
X-NINJAHIRE-Signature) and a timestamp (X-NINJAHIRE-Timestamp).
Purpose of Signature Verification:
The cryptographic signature allows you to verify that the payload has not been altered and that the request was made by Ninjahire. You will use a shared secret key (provided by Ninjahire) to recreate the signature and compare it to the one sent with the request.
2. Signature Structure
When Ninjahire sends a webhook, the following headers are included:
X-NINJAHIRE-Signature: A cryptographic HMAC SHA-256 signature of the payload.X-NINJAHIRE-Timestamp: The Unix timestamp indicating when the request was made.
You will use the X-NINJAHIRE-Signature header to verify the payload's integrity.
3. Verifying the Signature
To verify that the request is authentic:
-
Extract the Signature and Timestamp:
- Retrieve the
X-NINJAHIRE-SignatureandX-NINJAHIRE-Timestampfrom the webhook headers.
- Retrieve the
-
Recreate the Signature:
- Recompute the signature on your side using the same hashing algorithm (HMAC SHA-256) and the shared secret key provided by Ninjahire.
-
Compare Signatures:
- Use a timing-safe comparison to compare the received signature with the locally computed signature. This prevents timing attacks.
-
Ensure the Request is Fresh:
- Compare the current time with the timestamp in
X-NINJAHIRE-Timestampto prevent replay attacks. Requests that are too old should be rejected.
- Compare the current time with the timestamp in
4. Example Code for Signature Verification
Below is an example in JavaScript/Node.js for verifying the webhook signature:
JavaScript (Node.js)
Code
Steps in the Code:
- Create the Expected Signature: Using the
crypto.createHmac()method with the shared secret and the payload. - Perform a Timing-Safe Comparison: Use
crypto.timingSafeEqual()to safely compare the received and expected signatures. - Check for Request Freshness: Ensure the timestamp (
X-NINJAHIRE-Timestamp) is recent to avoid replay attacks.
5. Additional Security Tips
-
Validate Timestamp: Always check the
X-NINJAHIRE-Timestampto ensure the request is recent. Reject requests older than a specified window (e.g., 5 minutes) to prevent replay attacks. -
HTTPS: Ensure that your webhook endpoint uses HTTPS to encrypt the data in transit, adding another layer of security.
-
IP Whitelisting: Consider whitelisting Ninjahire’s IP addresses to further secure your webhook endpoint.
-
Logging: Log all webhook requests and responses for audit and debugging purposes. Ensure you store signature details to help identify potential security issues.
Conclusion
Webhook signature verification is a critical step in ensuring that the data sent to your system is secure and authentic. By implementing the provided steps and using the shared secret key, you can verify that the data has not been altered and the request came from Ninjahire.
If you have any further questions or need additional support, feel free to contact our technical team.