When working with webhooks, signature validation is common in order to make sure that only valid requests are processed, and that a bad actor canât spoof requests.
When using Moralis webhooks, whatâs the best way for my webhook to make sure that itâs processing a Moralis cloud function trigger?
I didnât see anything about webhook signatures in the docs.
Thanks!
Hi,
Some links just for reference:
Based on
Webhook security tactics
The first step to securing communications is to force TLS connections or in other words, only accept SSL compliant (https) websites. Now, you can apply a number of different solutions to secure your connection. Letâs talk about what these methods are.Token-based authentication â Tokens can be added to the callback URL while configuring your webhook. The URL might look like
https://www.myapplication/?auth=TOKEN
and how Moralis hides the user id in a speedy node request, maybe you can make your own simple token security (when you define your web hook url) by using an https url that contains your expected token, like https://afasdfasfd.com/?my_custom_token=2314212414 or https://afasdfasfd.com/2314212414/
To me it seems like to mitigate security issues with webhooks moralis should be signing their webhooks: https://stripe.com/docs/webhooks/signatures
I could then verify the signature on my endpoints before executing any actual server logic.