These features available on All Plans
Overview
Webhooks enable the automatic transmission of information from your Form Widget entries to an external server or service you control. It's crucial to configure your receiving server to accept webhook requests only from trusted sources.
Note: Implementing these security practices requires familiarity with server-side code. ShortStack's support team cannot assist with specific configurations on your server(s).
Adding and Validating a Secret Key
Securing your receiving server can be effectively achieved by providing an optional secret key in your webhook settings.
Configure the Webhook Integration
-
Access Webhook Integration Settings:
- Open your Form Widget's webhook integration settings.
-
Generate a Secret Key:
- Create a new random string to use as your secret key.
- For example, in your terminal, run:
- Copy the generated string and paste it into the Secret Key field in your webhook settings.
-
Save Settings:
- Save your webhook integration settings.
Configure Your Receiving Server
ShortStack uses the provided secret key to generate an encoded string, sent to your server in the X-Ss-Signature
request header. This signature is created by combining the request body with your secret key.
To validate the data received:
-
Store the Secret Key:
- Add an environment variable on your server to store the secret key:
- Important: Do not hardcode this key into your application or include it in your version control system.
-
Implement Signature Verification:
- Develop server-side code to verify the signature.
- The signature from ShortStack is prefixed with
sha1=
. Your verification process should account for this.
Example in Ruby using Sinatra:
Note: It's more secure to use a utility like secure_compare
rather than the ==
operator for comparing signatures.
Alternative Security Implementations
In addition to using a secret key, consider the following methods to enhance security:
Randomize the Endpoint's URL
Creating a complex, hard-to-guess endpoint URL can reduce the likelihood of unauthorized access.
-
Example: Use a URL like
instead ofhttp://www.example.com/webhooks/d92g5v0tnbji0d3czkfj
http://www.example.com/webhooks/new
Note: This method, known as security through obscurity, should not be relied upon as the sole security measure. Combine it with other methods like IP filtering or secret keys.
Whitelist Requests from ShortStack's Campaign Server
Configure your server to accept requests only from ShortStack's IP address:
- IP Address: 52.70.122.166
Implementation methods vary based on your server environment:
-
PHP Users: Compare
$_SERVER['REMOTE_ADDR']
to the above IP address. -
Ruby Users: Utilize the
kickstarter/rack-attack
gem for IP filtering. - Other Environments: Refer to your web server, framework, or middleware documentation for IP filtering instructions.
By implementing these security measures, you can ensure that your webhook integrations are protected against unauthorized access and data breaches.