![\"\"](\"https:\/\/messagemedia.com\/wp-content\/uploads\/2020\/08\/secure_webhooks_1.1-1.png\")
<\/p>\nThe growth of Webhooks has been substantial over the last couple of years and more and more services are offering the ability to configure them. In a nutshell, a Webhook\u2019s purpose is to notify you when some sort of event occurs. If you want to use a Webhook, you need to provide a callback URL, and the service offering the Webhook will make a HTTP request to that URL whenever the specified event occurs. All you need is the ability to listen for HTTP requests to the callback URL. The sad part is that standard HTTP messages are insecure and can be easily spoofed, and this could potentially open up a security hole when using Webhooks.<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
Once your server is configured to receive requests, it’ll listen for any requests sent to the endpoint you configured. For security purposes, you would want to limit requests to those coming from a trusted source. This can be accomplished by implementing an authentication mechanism for all Webhooks sent via the source.\u00a0However, there is a trade-off between convenience and complexity. The down-side of this approach is that it introduces more complexity for the recipient of the Webhook \u2013 they need to be able to calculate what the hash value should be. But hey better safe than sorry, right?<\/p>\n
<\/p>\n
![\"\"](\"https:\/\/messagemedia.com\/wp-content\/uploads\/2020\/08\/secure_webhooks2_final.png\")
<\/p>\n
<\/p>\n
For instance, let\u2019s say you\u2019re an online vendor who uses Stripe as the payment provider. Stripe offers multiple Webhooks, but let\u2019s talk about the one that informs you when someone has made a purchase. This information can be used to dispatch the product to the buyer. This example highlights the importance of a security mechanism for Webhooks. Imagine what the implications would be if a fake Webhook was received by the system. You don\u2019t want anyone to be able to call your Webhook and get free items shipped to them \u2013 we need to be able to verify who the Webhook is from.<\/p>\n