Webhook Security Guide

Ensuring the security of webhook payloads is a top priority. LoginRadius employs multiple security layers to guarantee data integrity and authenticity. This guide provides an in-depth look at how to secure your webhooks effectively.

Mandatory HTTPS

All webhook URLs must use HTTPS with validated SSL/TLS certificates to prevent data interception and ensure encrypted transmission. LoginRadius enforces HTTPS for all webhook endpoints to mitigate man-in-the-middle attacks and data exposure.

Signature Verification

Each webhook payload includes a hashed signature field generated using your API secret and the payload body. This process verifies the authenticity of the data source and prevents unauthorized modifications.

Working of Signature Verification

• LoginRadius generates a hashed signature using the API secret and the webhook payload.
• The receiving server must compute the hash using the same secret and compare it with the received signature.
• If the signatures match, the payload is verified as authentic.
• If the signatures do not match, the request should be rejected as it might have been altered or forged.

Example code for signature validation

The following .NET script demonstrates how to compute and validate the signature:

using System;using System.Text;using System.Security.Cryptography;public class Program
{
    private const string key = "<LoginRadius API Secret>";
  private const string message = "<Webhook Payload Body>";
    private static readonly Encoding encoding = Encoding.UTF8;
    static void Main(string[] args)
    {       var keyByte = encoding.GetBytes(key);        using (var hmacsha256 = new HMACSHA256(keyByte))
        {
            hmacsha256.ComputeHash(encoding.GetBytes(message));            Console.WriteLine("Computed Signature: {0}", ByteToString(hmacsha256.Hash));
        }    }
    static string ByteToString(byte[] buff)    {        string sbinary = "";     for (int i = 0; i < buff.Length; i++)           sbinary += buff[i].ToString("X2"); /* hex format */        return sbinary;    }
}

Implementation Considerations

• Use the Correct API Secret: Ensure the same API secret is used while configuring the corresponding webhook in the Webhooks section of the LoginRadius Admin Console.
• Verify Payload Uniqueness: Include timestamps and unique request IDs to prevent replay attacks.
• Use Constant-Time Comparison: To prevent timing attacks, use secure comparison methods when validating signatures.
• Reject Requests with Missing or Invalid Signatures: If a request lacks a signature or is invalid, reject it immediately.

Best Practices for Webhook Security

• Use IP Whitelisting: Allow webhook requests only from trusted IPs to reduce the risk of unauthorized access.
• Rate Limiting: Implement rate limits to mitigate abuse and prevent denial-of-service attacks.
• Store and Rotate Secrets Securely: Regularly rotate API secrets, store them securely, and avoid hardcoding them in source code.
• Validate Content-Type and Structure: Ensure payloads follow expected formats to prevent injection attacks and data corruption.
• Monitor Webhook Activity: Log and analyze webhook requests for anomalies, failed signature verifications, or repeated attempts from unauthorized sources.
• Enable Retry Mechanisms: In transient failures, allow webhook retry attempts with exponential backoff to avoid overwhelming servers.
• Use Additional Encryption (Optional): For added security, encrypt webhook payloads using an additional encryption key.

Implementing these security measures ensures that only authorized and legitimate webhook requests are processed, enhancing the overall security of your application.

Related Resources

• WebHook Overview
• WebHook APIs
• Available Integrations