What is the Secret ID?

Following the same philosophy of Vercel and taking into account that it is a very widespread security practice among the different applications that implement Webhooks, in CM Webhook we implement a Secret ID for the secure signature of all the requests that you receive from our server.

Once your server is configured to receive payloads, it will listen for any payload sent to the endpoint you configured. By knowing the URL of your webhook, anybody can send you requests. It is therefore recommend to check whether the requests are coming from CM Webhook or not.

How it works?

The recommended method to check is to use the x-webhook-signature security header you receive with each request. The value of this header corresponds to the sha1 of the payload body using your Secret ID.

For example, you can validate a webhook message as follows:

const crypto = require('crypto');
const { send } = require('micro');

module.exports = (req, res) => {
  const payload = await json(req);

  if (!verifySignature(req, payload)) {
    return send(res, 403, {
      code: `invalid_signature`,
      error: `signature didn't match`,
    });
  }

  // Process the payload
};

function verifySignature(req, payload) {
  const signature = crypto
    .createHmac('sha1', process.env.SECRET_ID)
    .update(payload)
    .digest('hex');
  return signature === req.headers['x-webhook-signature'];
}

You can compute the signature using a HMAC hexdigest from the Secret ID and request body, then compare it with the value of the x-webhook-signature header to validate the payload.