Security

Webhooks play a critical role in ensuring the seamless functionality of your integration. However, they can become targets for malicious actors attempting to exploit or disrupt the service. To safeguard your application, you must configure your webhook with a 32-byte secret. This secret is essential for encrypting the request body, adding a layer of security to the data transmission.

Enabling Encryption

When encryption is enabled in your webhook configuration:

Payload Format: The webhook event payload is sent as text/plain containing encrypted data. Initialization Vector (IV): A 16-byte cipher initialization vector (IV) is included in the response headers as metadata. This IV is necessary to decrypt the webhook request body securely.

Below you find an example process for decrypting an incoming webhook request:

import * as crypto from 'crypto';

export class Decipher {
  decipherAES_256_CBC(request: any) {
    const CIPHER_KEY = 'YOUR-PLAIN-KEY';
    const BASE64_PLAIN_IV = request.headers['x-pvt-cipher-iv'];
    const BASE64_CIPHERED_MESSAGE = request.body;

    const BUFFER_KEY = Buffer.from(CIPHER_KEY);
    const BUFFER_IV = Buffer.from(BASE64_PLAIN_IV, 'base64');
    const BUFFER_CIPHERED_MESSAGE = Buffer.from(BASE64_CIPHERED_MESSAGE, 'base64');

    const DECIPHER = crypto.createDecipheriv('aes-256-cbc', BUFFER_KEY, BUFFER_IV);
    DECIPHER.setAutoPadding(true);

    let deciphered_message = DECIPHER.update(BUFFER_CIPHERED_MESSAGE, 'hex', 'utf8');

    deciphered_message += DECIPHER.final('utf-8');

    return deciphered_message.toString();
  }
}