cancel
Showing results for 
Search instead for 
Did you mean: 

Enabling Webhook security with RSA-SHA256 signature verification

PointOfSaleDev
Occasional Contributor

Currently, your webhook integration does not offer a secure way to verify its origins.

Looking at webhook HTTP POST responses, there are HTTP headers that suggest there is planned support for webhook signature verification - x-shipengine-rsa-sha256-key-i  and x-shipengine-rsa-sha256-signature being the prominent ones. Unfortunately, to verify a RSA SHA256 signature developers need access to public rsa key to verify message payloads - which you don't  provide. 

Are there any plans to fully support webhook signature verification by providing a public RSA-SHA256 key?

3 REPLIES 3

CaraAdmin
Khoros

Hello @PointOfSaleDev!

 

Thank you for the wonderful idea! Your insights are crucial to our progress, so keep them coming.

 

Happy Shipping!

 

-Cara

I am also testing some webhook on my system. Eventhough it works, I want to secure my application more, I definitely need to have this validation otherwise how can we validate the ShipStation webhook payload? 
Please let me know.
Thanks

Hello @risingspring123!

 

Thank you for your suggestion. We’ve passed it along to our development team for review.

 

Happy Shipping!

 

-Cara