Webhooks are an ideal way to send information automatically to an external application. However, it is critical to ensure that the receiving app or server validates the source before accepting requests. To avoid potential security threats, users can secure your webhooks.
Contentstack offers two highly recommended security measures that you can implement when setting up a webhook. These are 'Basic Authentication' and 'Custom Headers'.
Let’s look at the two ways that can be used to secure your webhook event data.
Warning: Currently, Contentstack uses dynamic IP addresses for webhook events. So, you need to secure your webhooks using either 'Basic Authentication' or 'Custom Headers' security measures. It's recommended that you avoid using the hash signature, X-Contentstack-Signature, as it has been deprecated.
Basic authentication
When setting up a webhook, Basic Authentication, i.e., Basic Auth, allows users to set a username and password associated with your HTTP endpoint. With this method, your basic auth field values are included in the header of the HTTP request.
To set this method, go to SETTING > Webhooks. Here, you can add the basic auth details by providing the values for the following fields:
- HTTP basic auth username
- HTTP basic auth password
Now, your URL is secure with the above basic auth username and password.
Custom Headers
As an additional method of security, you can specify custom headers that Contentstack will use while sending the payload to the specified endpoint. Custom Headers give the destination application an option to authenticate your webhook requests, and reject any that do not contain these custom headers.
Custom headers are key-value parameters that you send/receive in the header of each call of your notifying URL.
To set this method, go to SETTING >; Webhooks. Here, you can add custom headers by providing the values for the following fields under ‘Custom headers’:
- Key
- Value
Note: You can set multiple custom header key-value pairs.