Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Enabling Webhook security with RSA-SHA256 signature verification

PointOfSaleDev
First-timer

3 weeks ago

Currently, your webhook integration does not offer a secure way to verify its origins.

Looking at webhook HTTP POST responses, there are HTTP headers that suggest there is planned support for webhook signature verification - x-shipengine-rsa-sha256-key-i  and x-shipengine-rsa-sha256-signature being the prominent ones. Unfortunately, to verify a RSA SHA256 signature developers need access to public rsa key to verify message payloads - which you don't  provide. 

Are there any plans to fully support webhook signature verification by providing a public RSA-SHA256 key?

2 REPLIES 2

CaraAdmin
Khoros

2 weeks ago - last edited 2 weeks ago

Hello @PointOfSaleDev!

 

Thank you for the wonderful idea! Your insights are crucial to our progress, so keep them coming.

 

Happy Shipping!

 

-Cara

0 Kudos

risingspring123
First-timer
In response to CaraAdmin

Thursday

I am also testing some webhook on my system. Eventhough it works, I want to secure my application more, I definitely need to have this validation otherwise how can we validate the ShipStation webhook payload? 
Please let me know.
Thanks

0 Kudos