Security

Security is a top priority in webhook services. In Sendhooks, we pay special attention to secure data transmission and protect it against potential threats such as Man-in-the-Middle (MITM) attacks and data tampering.

Redis Communication Security

Securing Redis communication is crucial. Detailed information on securing Redis is available on the Introduction page and in the Redis architecture description.

Protecting Data from MITM Attacks and Data Tampering

MITM attacks involve an unauthorized party intercepting and possibly altering the communication between two parties. To safeguard against this, it’s essential to ensure that the data sent to third parties is secure and hasn’t been tampered with.

Signing the Payload

To enhance security, we recommend signing the data payload from your application before transmitting it to Sendhooks via the Redis stream.

• The payload supports a secretHash field, which typically holds the signature of the data field in the payload.
• The receiving end should use the same signing algorithm to verify the payload’s integrity by comparing it with the X-Secret-Hash in the request header.

The data should look like this when adding the secretHash:

{
  "url": "https://example.com/webhook-endpoint",
  "webhookId": "12345",
  "data": {
    "key1": "value1",
    "key2": "value2",
    "key3": "value3"
  },
  "secretHash": "a1b2c3d4e5f6g7h8i9j0"
}

If the two values match, it indicates that the data has not been tampered with. If they don’t match, it suggests possible data tampering, and further investigation is necessary to ensure the system’s integrity and security.

Here is how you can sign data in Python and JavaScript:

JavaScript

const crypto = require("crypto");

function signPayload(payload, secretKey) {
  const hmac = crypto.createHmac("sha256", secretKey);
  hmac.update(payload);
  const signature = hmac.digest("hex");
  return signature;
}

// Example usage:
const payload = '{"data": "example"}';
const secretKey = "your_secret_key";
const signature = signPayload(payload, secretKey);
console.log(`Signature: ${signature}`);

Python

    import hashlib
    import hmac

    def sign_payload(payload, secret_key):
    signature = hmac.new(bytes(secret_key , 'utf-8'), bytes(payload , 'utf-8'), digestmod = hashlib.sha256).hexdigest()
    return signature

    # Example usage:
    payload = '{"data": "example"}'
    secret_key = "your_secret_key"
    signature = sign_payload(payload, secret_key)
    print(f"Signature: {signature}")