Security of a webhook
To prevent your confidential information from being intercepted and to protect your sensitive data, you can specify a https endpoint so that all data will be encrypted. However, security doesn't stop there.
Usually, endpoints are open to the world. This means that anyone with the url has access to it. To verify that a request is actually generated by SMTPeter and not a third-party that pretends to be someone else, SMTPeter signs the request headers. In this way, users can verify that requests are generated by our services.
Digest header is added in compliance with RFC 3230.
This can be used to verify message data integrity.
An identifier for your SMTPeter environment is added. The header will contain the data in the
The headers are signed using a draft for a standard of signing HTTP messages, which you can find here.
keyId, an url is provided in which a key can be found in the TXT record. Currently, the field contains
a full URL which can be queried for a
TXT record, where a valid DKIM record can be found. To improve security,
these keys are automatically rotated every month. For information on the DKIM key formatting, check out
As an additional security measure, the headers in the signature should at least contain the following fields
(request-target)- the target resource, e.g.
Host- the hostname
Date- the date this request was created at
X-Copernica-ID- the environment identifier, see above
Digest- the message digest, see above
The headers in itself are not enough to verify the message security. To make the connection fully secure, check off all steps in the following list.
Hostheader is correct
Digestheader is correct
Signatureheader is correct
Signaturecontains at least the recommended headers
keyIdis pointing to a
Performing all these steps will ensure maximum security.
You can find an example implementation of correct message verification here.