23 / 03 / 01
Secure Signature-Based Authentication for Webhook Communication
Webhooks are a powerful tool for building integrations between applications. For example, one might want an application to subscribe to the event of a new user sign-up or that of payment made. Consequently, it is very vital that messages sent within webhooks remain secure. This is where signature webhooks come in. In this guide, we take a look at the concept of signature webhooks in Go.
A Signature Webhook is one in which the message payload contains a digital signature. This is done by generating such a signature with a secret key, applied by some specific algorithm—the HMAC -SHA256 , for instance. When this application now receives the webhook message, it checks its signature using the same secret key and algorithm. In case the signature is valid, the message can be considered fine and handled properly.
The usage of signature webhooks helps to work with webhooks more securely. Without a signature, somebody could send a fake webhook message to your application and in the worst cases, cause damage. Using a signature, one can make sure to accept and process only trusted messages.
Implementing signature webhooks in Go is easy. First, you create a secret key that will be used for generating the signature. Share this key with no one; it should be secret.
Finally, you must generate the signature for every message sent via a outgoing webhook. One which uses Go's standard library to HMAC-SHA256:
func generateSignature(payload []byte, secretKey string) string {
key := []byte(secretKey)
h := hmac.New(sha256.New, key)
h.Write(payload)
return hex.EncodeToString(h.Sum(nil))
}
Once the signature is generated, it can be added to the headers of a webhook message payload separately, for example, X-Webhook-Signature. The same function, therefore, generateSignature, can be used by the receiving application to verify that specific message and hence be reassured of its authenticity.