Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Enabling Webhook security with RSA-SHA256 signature verification

PointOfSaleDev
Occasional Contributor

‎09-19-2024 08:41 PM

Currently, your webhook integration does not offer a secure way to verify its origins.

Looking at webhook HTTP POST responses, there are HTTP headers that suggest there is planned support for webhook signature verification - x-shipengine-rsa-sha256-key-i  and x-shipengine-rsa-sha256-signature being the prominent ones. Unfortunately, to verify a RSA SHA256 signature developers need access to public rsa key to verify message payloads - which you don't  provide. 

Are there any plans to fully support webhook signature verification by providing a public RSA-SHA256 key?

3 REPLIES 3

CaraAdmin
Khoros

‎09-24-2024 10:00 AM - edited ‎09-24-2024 10:01 AM

Hello @PointOfSaleDev!

 

Thank you for the wonderful idea! Your insights are crucial to our progress, so keep them coming.

 

Happy Shipping!

 

-Cara

0 Kudos

risingspring123
First-timer
In response to CaraAdmin

‎10-03-2024 01:29 PM

I am also testing some webhook on my system. Eventhough it works, I want to secure my application more, I definitely need to have this validation otherwise how can we validate the ShipStation webhook payload? 
Please let me know.
Thanks

0 Kudos

CaraAdmin
Khoros
In response to risingspring123

‎10-10-2024 09:51 AM

Hello @risingspring123!

 

Thank you for your suggestion. We’ve passed it along to our development team for review.

 

Happy Shipping!

 

-Cara

0 Kudos