feat: Optional Security Headers added for webhook outputs#379
Merged
Conversation
- optional security header can be enabled by adding the following to your config: -"webhookHmacSharedKey": "SomeRandomHMACKey" (Replace "SomeRandomHMACKey" with your private HMAC secret key) - when ENABLED, the following headers will be included in the webhook request: x-hmac-time 1747750828 x-hmac-signature 7420964e60045e716a9b1d4fabcbc6a9cc913c7e63ac653b313d56a097a36d1a x-request-id 769164d0-5592-4a67-9932-038573732fdc (example values shown) -- NOTE: - THIS MUST USE **SHA-256** HASHING ALG - MESSAGE TO HASH is **x-hmac-time + x-request-id** (UTF-8 string, no seperators) - DIGEST OUTPUT is **HEX STRING** - x-hmac-time is **UNIX EPOCH TIME** - signature is computed using your shared **`webhookHmacSharedKey`** - You MUST validate that the timestamp is within an acceptable range (e.g. 5 minutes) *before* comparing the HMAC (do this on your backend)
emilyjevans
reviewed
May 27, 2025
remove redudant code.
emilyjevans
previously approved these changes
May 28, 2025
made webhookHmacSharedKey optional
Author
|
@emilyjevans should be ready. |
emilyjevans
approved these changes
May 28, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
optional security header can be enabled by adding the following to your config:
"webhookHmacSharedKey": "SomeRandomHMACKey"
(Replace "SomeRandomHMACKey" with your private HMAC secret key)
x-hmac-time 1747750828
x-hmac-signature 7420964e60045e716a9b1d4fabcbc6a9cc913c7e63ac653b313d56a097a36d1a
x-request-id 769164d0-5592-4a67-9932-038573732fdc
(example values shown)
--
NOTE:
webhookHmacSharedKeyDescription
This was done because we want our backend to only accept requests from the running EKS cluster's X-Gov and no one else. There were other ways to do this but they were more involved on the part of L2/L3 support team's AWS account, so this was done instead and is secure enough that it will suffice.
Type of change
How Has This Been Tested?
Tested on my local system sending payloads with and without it configured on Google Chrome.
Checklist: