Data over webhook notify the application that new user data is available to retrieve. Without added security, attackers may post false notifications to your endpoints, causing fake data to be stored. Therefore, it's important to confirm the notifications are coming from Metric.
To confirm that a notification originated from Metric you may verify the X-Metric-Signature HTTP header value. Compute the expected signature using the following method:
- Get the key you generated when registering your app.
- Append the & character to the key to form the signing key, e.g. 123ab4567c890d123e4567f8abcdef9a&
- Using a cryptographic library, hash the JSON body of the notification with the HMAC-SHA1 algorithm and the above signing key.
- BASE64 encode the result of the hash function.
- Finally, verify the BASE64 encoded value matches the value of the X-Metric-Signature header.
If the signature verification fails, respond with a 404 to avoid revealing your application to a potential attacker. We recommend logging the remote IP of the host sending the incorrect signature, the incoming signature, and the incoming message content. We ask that you send us a copy of this information so we can investigate.
Signature verification is optional but recommended.