Verifying Webhooks Created via the API

Actualizado en 06 Mar 2024
1 Minuto para leer

Oscuro
Ligero

The content is currently unavailable in Spanish. You are viewing the default English version.

Resumen del artículo

¿Te ha resultado útil este resumen?

Gracias por sus comentarios

If a shared secret is available, each webhook request includes a X-Nexudus-Hook-Signature header which is generated using the app's shared secret along with the data sent in the request.

The following JSON code is used to generate the hash header:


var wr = GetWebRequest();
var dataString = JsonConvert.SerializeObject(new[] { dto });
                
//Calculate signature hash
var sharedSecret = GetSharedSecret();
if (!string.IsNullOrEmpty(sharedSecret))
{
  var encoding = new System.Text.ASCIIEncoding(); 
  var keyBytes = encoding.GetBytes(sharedSecret);
  var hmacsha256 = new HMACSHA256(keyBytes);
  var messageBytes = encoding.GetBytes(dataString);
  var hashBytes = hmacsha256.ComputeHash(messageBytes);
  var hash = ByteToString(hashBytes);
  wr.Headers.Add("X-Nexudus-Hook-Signature", hash);
}
                 
string ByteToString(byte[] buff)
{
  string sbinary = "";
  for (int i = 0; i < buff.Length; i++)
    sbinary += buff[i].ToString("X2"); // hex format
    return sbinary;
}

To verify that the request came from Nexudus, compute the HMAC 256 digest and compare it with the value in the X-Nexudus-Hook-Signature header. If they match, you can be sure that the webhook was sent from Nexudus and the data has not been compromised.

¿Te ha sido útil este artículo?

What's Next

Failed Webhook Requests and Retries