Securing webhooks with signed notifications

#1

Hey everyone, I’m trying to secure my webhook endpoints and following the instructions outlined here:

The problem is, neither of those resources are clear about what data actually gets hashed to create the signature and I’ve tried a bunch of different things and still not getting a match.

Does anyone know what part of the notification data is used to generate the sha1 hash that’s included in that x-hub-signature header?

0 Likes

#2

Hey @nerboda! So you can take the signature header X-Hub-Signature and compare it to a computed signature, which you can generate like so (using Ruby in my example):

signature    = request.headers['X-Hub-Signature'] # header sent by Intercom
request_body = request.body.read  # payload sent by Intercom
hub_secret   = "Secret you used when creating your webhook subscription"

# compute using request body and hub secret
computed     = "sha1=#{OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha1'), hub_secret, request_body)}"

# now compare
Rack::Utils.secure_compare(computed, signature) 

Note that the values used when computing the signature for comparison are the request body (the inbound payload from Intercom) and the hub secret that you sent to Intercom when subscribing.

Hope this helps!

2 Likes

#3

@kyle ahh the raw request body, that’s what I was looking for. Thanks a ton!

0 Likes

#4

:+1: sure thing, glad it was helpful!

0 Likes