Signature Validation
Signature validation
Since your webhook URL is publicly available, you need to verify that events are truly originating from Curacel and not an unauthorized entity. Therefore, you need to check for authenticity using the Webhook Secret which you generate from your dashboard.
The events sent from Curacel carry the x-curacel-signature header
. The value of this header is an HMAC SHA256 signature of the event payload signed using your webhook secret. Verifying the header signature should be done before processing the event:
- PHP
- Javascript
<?php
// ensure it's post request with the curacel signature header
if ((strtoupper($_SERVER['REQUEST_METHOD']) != 'POST' ) || !array_key_exists('x-curacel-signature', $_SERVER) )
exit();
// Retrieve the request's body
$input = @file_get_contents("php://input");
// validate event
if($_SERVER['HTTP_X_CURACEL_SIGNATURE'] !== hash_hmac('sha256', $input, WEBHOOK_SECRET))
exit();
http_response_code(200);
// parse event (which is json string) as object
// Do something - that will not take long - with $event
$event = json_decode($input);
exit();
?>
var crypto = require('crypto');
var secret = process.env.WEBHOOK_SECRET;
var bodyParser = require('body-parser'); // npm i body-parser
app.use(bodyParser.json());
// Using Express.js
app.post("/my/webhook/url", function(req, res) {
//escape forward slashes
const data = (JSON.stringify(req.body)).replace(/\//g, '\\/');
//validate event
const hash = crypto.createHmac('sha256', secret).update(data).digest('hex');
if (hash == req.headers['x-curacel-signature']) {
// Retrieve the request's body
const event = req.body;
// Do something with event.
}
res.send(200);
});