Why Verify Webhooks

Because of the way webhooks work, attackers can impersonate services by simply sending a fake webhook request to an endpoint. Think about it: it’s just an HTTP POST from an unknown source. This scenario creates a potential security hole for many applications, or at the very least, a source of confusion and erroneous data processing. To prevent unauthorized requests, Straddle signs every webhook and its metadata with a unique key for each endpoint. By verifying this signature, you ensure that the webhook indeed comes from Straddle, processing it only if the verification passes.

Preventing Replay Attacks

Another potential vulnerability is a replay attack. In a replay attack, an attacker intercepts a valid payload (including the signature) and re-sends it to your endpoint. Because the payload is valid and signed, it would pass the normal verification checks, potentially causing unintended actions or security breaches. To combat this, Straddle includes a timestamp in every webhook attempt. Our official libraries automatically reject webhooks if their timestamp is more than five minutes off from the current time. This requirement ensures that even if a payload is intercepted, it cannot be successfully replayed at a later time without failing the time-based validation check.
For timestamp verification to be effective, it’s important that your server’s clock is accurate. We recommend using NTP (Network Time Protocol) to keep your server’s clock synchronized.