Webhook Signature Security
Verify the authenticity of received webhooks with cryptographic signature.
Anyone knowing your webhook endpoint URL could potentially send fake alerts to it. Cryptographic signature guarantees that the webhook actually comes from MoniTao.
Each webhook includes a signature header that you can verify server-side. Without valid signature, reject the request.
Why Verify the Signature
- Authenticity: Guarantees the webhook comes from MoniTao and not an attacker.
- Integrity: Ensures the content wasn't modified in transit.
- Non-repudiation: Cryptographic proof that MoniTao actually sent this alert.
How the Signature Works
- Shared secret: MoniTao generates a unique secret for each configured webhook.
- HMAC SHA-256: The payload is signed with this secret using HMAC SHA-256.
- X-Signature header: The signature is included in the X-MoniTao-Signature header of the request.
Server-Side Verification
- Retrieve the secret: Store the webhook secret securely (environment variable).
- Calculate the signature: Calculate HMAC SHA-256 of the body with your secret.
- Compare: Use a timing-safe comparison to avoid timing attacks.
Frequently Asked Questions
Where to find the signature secret?
In webhook settings, after creation. Copy it securely.
Can I regenerate the secret?
Yes, but remember to update your server with the new secret.
Is verification mandatory?
No, but strongly recommended. Without verification, you're vulnerable to fake webhooks.
What algorithm does MoniTao use?
HMAC SHA-256, industry standard for webhook signing.
Ready to Sleep Soundly?
Start free, no credit card required.