Skip to main content

Webhooks Security

Protecting your webhook endpoints is crucial for maintaining the security and integrity of your integration with Slate POV Platform. This guide covers essential security measures you should implement.

Why Webhooks Security Matters

Webhooks are HTTP endpoints that receive data from external sources. Without proper security measures, malicious actors could:
  • Send fake webhook events to your application
  • Flood your servers with requests
  • Gain unauthorized access to your data
  • Disrupt your application’s functionality

Essential Security Measures

1. Verify Webhook Signatures

Always verify that webhooks are coming from Slate POV Platform by checking the request signature. Slate POV Platform uses Svix for webhook delivery, which provides built-in signature verification. 
// Using Svix library (recommended)
const { headers, rawBody } = req;
const svix = new Svix(webhookSecret);

try {
  const payload = svix.verify(rawBody, headers);
  // Process verified payload
  console.log('Verified webhook:', payload);
} catch (err) {
  console.error('Invalid webhook signature:', err);
  res.status(400).json({ error: 'Invalid signature' });
}

2. Restrict by IP Address

Only accept requests from Svix’s webhook IP addresses. This prevents attackers from flooding your servers or wasting your compute resources.
Note: For the most up-to-date list, see Svix’s webhook IPs documentation.

3. Use HTTPS

Always use HTTPS for your webhook endpoints. This ensures that data is encrypted in transit and prevents man-in-the-middle attacks.

4. Implement Rate Limiting

Protect your webhook endpoints from abuse by implementing rate limiting.

5. Validate Payload Structure

Always validate the structure of incoming webhook payloads before processing them. 
function validateWebhookPayload(payload) {
  const requiredFields = ['event', 'timestamp', 'source', 'data'];
  
  for (const field of requiredFields) {
    if (!payload.hasOwnProperty(field)) {
      throw new Error(`Missing required field: ${field}`);
    }
  }
  
  if (payload.source !== 'homestar_pov_platform') {
    throw new Error('Invalid webhook source');
  }
  
  // Validate timestamp format
  const timestamp = new Date(payload.timestamp);
  if (isNaN(timestamp.getTime())) {
    throw new Error('Invalid timestamp format');
  }
  
  return true;
}

6. Implement Idempotency

Handle duplicate webhook deliveries gracefully by implementing idempotency.

Security Checklist

Before going live with your webhook integration, ensure you have implemented:
  • Webhook signature verification
  • IP address restrictions
  • HTTPS endpoints
  • Rate limiting
  • Payload validation
  • Idempotency handling
  • Error logging and monitoring
  • Secure storage of webhook secrets

Monitoring and Logging

Implement comprehensive logging for your webhook endpoints: 
// Log all webhook requests
app.use('/webhooks/homestar', (req, res, next) => {
  console.log(`Webhook received: ${req.method} ${req.path}`, {
    ip: req.ip,
    userAgent: req.get('User-Agent'),
    timestamp: new Date().toISOString()
  });
  next();
});

// Log webhook processing errors
app.use('/webhooks/homestar', (err, req, res, next) => {
  console.error('Webhook processing error:', {
    error: err.message,
    stack: err.stack,
    payload: req.body,
    timestamp: new Date().toISOString()
  });
  
  // Send error to monitoring service
  sendToMonitoringService('webhook_error', {
    error: err.message,
    event: req.body?.event,
    applicationId: req.body?.data?.slateApplicationId
  });
  
  res.status(500).json({ error: 'Internal server error' });
});

Troubleshooting

Common Security Issues

  1. Invalid signatures: Ensure you’re using the correct webhook secret from your Slate POV Platform Dashboard
  2. IP restrictions: Verify you’re using the current Svix IP addresses
  3. HTTPS issues: Check your SSL certificate configuration
  4. Rate limiting: Adjust limits based on your expected webhook volume

Getting Help

If you encounter security-related issues:
  • Check the Svix documentation for signature verification
  • Review webhook delivery logs in the provided dashboard

Next Steps