Why?

Due to the nature of webhooks, attackers can impersonate services by simply sending a fake webhook to an endpoint. Consider this: it’s merely an HTTP POST from an unknown source. This poses a potential security risk for many applications, or at the very least, a source of issues.

In order to prevent this, ChatBrick signs each webhook and its metadata with a unique key for each endpoint. This signature can then be used to verify that the webhook indeed comes from ChatBrick, and it should only be processed if this is the case.

Another potential security risk is what’s known as replay attacks. A replay attack occurs when an attacker intercepts a valid payload (including the signature) and re-transmits it to your endpoint. This payload will pass signature validation and will therefore be acted upon.

To mitigate this attack, ChatBrick includes a timestamp for when the webhook attempt occurred. Our libraries automatically reject webhooks with a timestamp that is more than five minutes away (past or future) from the current time. This requires your server’s clock to be synchronized and accurate, and it’s recommended that you use NTP to achieve this.

For additional information about webhook security and vulnerabilities, please refer to Svix’s webhook security documentation.

Verifying using Libraries

To more easily verify incoming webhook events, you can use libraries provided by our partner, Svix.

You need to use the raw request body when verifying webhooks, as the cryptographic signature is sensitive to even the slightest changes.

You should watch out for frameworks that parse the request as JSON and then stringify it because this too will break the signature verification.

First install the library using your package manager of choice:

Install the Package
# NPM
npm install svix
# PNPM
pnpm install svix
# Yarn
yarn add svix

Then, verify the webhook event using the code below. The payload is the raw (string) body of the request, and the headers are the headers passed in the request.

import { Webhook } from "svix";

// The secret is unique to each endpoint
// Yoy can retrieve it from the ChatBrick dashboard
const secret = "whsec_MfKQ9r8GKYqrTwjUPD8ILPZIo2LaLaSw";

// These were all sent from the ChatBrick server
const headers = {
  "svix-id": "msg_p5jXN8AQM9LWM0D4loKWxJek",
  "svix-timestamp": "1614265330",
  "svix-signature": "v1,g0hM9SsE+OTPJTGt/tmIKtSyZlE3uFJELVlNIOLJ1OE=",
};

// The payload is the raw JSON string sent by ChatBrick
// Please note that the payload should be the raw request body, not a parsed JSON object.
const payload = '{"test": 2432232314}';

const wh = new Webhook(secret);

// Throws on error, returns the verified content on success
const payload = wh.verify(payload, headers);

Verifying Manually

If your language is not supported by the Svix library, you can verify the signature manually.

Please refer to Svix’s Verifying Webhooks Manually documentation for more information.

SetupRetries