Your server should verify that Refersion is the service that sent a webhook before accepting the incoming data. This is important for securing sensitive data and to protect your server.
Refersion will sign all webhooks with a Refersion-Signature HTTP header. The signature is generated by creating a SHA256 HMAC hash of your Webhook Signing Secret plus the request body which is then base64 encoded.
To verify a webhook was sent from Refersion, you'll need your Webhook Signing Secret. You can find this in your account by navigating to Account > Settings > Webhooks. Click to show the secret and store it somewhere safe on your server for validation.
Validating webhooks from Refersion:
You can validate webhooks from Refersion by creating a SHA256 HMAC hash of your Webhook Signing Secret plus the request body then, base64 encoding the result.
Here is a sample using PHP:
<?php
$req_headers = getallheaders();
$webhook_signature = $req_headers["Refersion-Signature"];
$webhook_body = file_get_contents("php://input");
$rfsn_secret = "Your Webhook Signing Secret";
$my_signature = base64_encode(hash_hmac('sha256', $webhook_body, $rfsn_secret, true));
if ($webhook_signature !== $my_signature) {
exit;
} else {
// Do something with the webhook data
}