09-19-2024 08:41 PM
Currently, your webhook integration does not offer a secure way to verify its origins.
Looking at webhook HTTP POST responses, there are HTTP headers that suggest there is planned support for webhook signature verification - x-shipengine-rsa-sha256-key-i and x-shipengine-rsa-sha256-signature being the prominent ones. Unfortunately, to verify a RSA SHA256 signature developers need access to public rsa key to verify message payloads - which you don't provide.
Are there any plans to fully support webhook signature verification by providing a public RSA-SHA256 key?
09-24-2024 10:00 AM - edited 09-24-2024 10:01 AM
Hello @PointOfSaleDev!
Thank you for the wonderful idea! Your insights are crucial to our progress, so keep them coming.
Happy Shipping!
-Cara
10-03-2024 01:29 PM
I am also testing some webhook on my system. Eventhough it works, I want to secure my application more, I definitely need to have this validation otherwise how can we validate the ShipStation webhook payload?
Please let me know.
Thanks
10-10-2024 09:51 AM
Hello @risingspring123!
Thank you for your suggestion. We’ve passed it along to our development team for review.
Happy Shipping!
-Cara