[Webhooks] how to verify requests are legit?

When working with webhooks, signature validation is common in order to make sure that only valid requests are processed, and that a bad actor can’t spoof requests.

When using Moralis webhooks, what’s the best way for my webhook to make sure that it’s processing a Moralis cloud function trigger?

I didn’t see anything about webhook signatures in the docs.


1 Like

Some links just for reference:

Based on

Webhook security tactics
The first step to securing communications is to force TLS connections or in other words, only accept SSL compliant (https) websites. Now, you can apply a number of different solutions to secure your connection. Let’s talk about what these methods are.

Token-based authentication – Tokens can be added to the callback URL while configuring your webhook. The URL might look like https://www.myapplication/?auth=TOKEN

and how Moralis hides the user id in a speedy node request, maybe you can make your own simple token security (when you define your web hook url) by using an https url that contains your expected token, like https://afasdfasfd.com/?my_custom_token=2314212414 or https://afasdfasfd.com/2314212414/

To me it seems like to mitigate security issues with webhooks moralis should be signing their webhooks: https://stripe.com/docs/webhooks/signatures

I could then verify the signature on my endpoints before executing any actual server logic.