Signed webhooks
Each webhook request sent by Rewardful includes a unique signature that can be used to verify the authenticity of the request. You can use this to confirm that the webhook request is legitimate and not an attacker attempting to spoof your endpoint.
Although it's optional, we strongly recommend verifying webhook signatures to keep your app secure.
The signature is contained in the HTTP header
X-Rewardful-Signature. You can verify the signature by hashing your Signing Secret with the request body, then comparing the result with X-Rewardful-Signature. If they match, it means the request is legitimate.Here are some examples of how you can verify the signature in a few frameworks and programming languages.
expected_signature = OpenSSL::HMAC.hexdigest(
'sha256',
'my-rewardful-signing-secret',
request.raw_post
)
if expected_signature == request.headers['X-Rewardful-Signature']
# The request is legitimate and can be safely processed.
end
<?php
$payload = @file_get_contents('php://input');
if (strlen($payload) == 0) {
http_response_code(401);
die("rejected");
}
$headers = getallheaders();
if (!array_key_exists("X-Rewardful-Signature", $headers)) {
http_response_code(401);
die("rejected");
}
$expectedSignature = hash_hmac('sha256', $payload, 'my-rewardful-signing-secret');
if($expectedSignature !== $headers["X-Rewardful-Signature"]) {
http_response_code(401);
die("rejected");
}
// The request is legitimate and can be safely processed.
?>
import hmac
import hashlib
expected_signature = hmac.new(
'my-rewardful-signing-secret',
msg=request.body,
digestmod=hashlib.sha256
).hexdigest()
if expected_signature == request.headers['X-Rewardful-Signature']:
# The request is legitimate and can be safely processed.
Last modified 2yr ago