Good evening, I am wondering if adding a X-Hook-Signature header as described in resthooks.org for improving security and confirming legitimacy of the sender is considered by the IS dev team. Anyone heard of some sort of authentication mechanism to secure the receiver endpoint ?
Regards,
Good afternoon Yann,
We do not currently have any plans to implement a hook signature header, but I will add it to our notes for our next revision.
Thank you,
- Tom Scott
One thing I’ve done is to append ?param=value to the end of the webhook registration. Whenever keap sends the webhook data the header will contain that url with the parameter included and you’ll then know it’s from Keap.
Alternately, record the api server ip addresses and verify that the webhook data was sent from a requester ip address that belongs to keap.