Webhook Security: HMAC signature
Secure your project's, task's, and issue's webhooks with HMAC-SHA 256 (Hash-Based Message Authentication Codes with SHA 256). Zoho Projects has the option to secure webhooks using HMAC-SHA 256, an industry standard hashing mechanism to ensure and maintain the authenticity and integrity of webhooks.
HMAC helps check:
- If the webhook request has been sent from Zoho Projects (The secret key must be known only to Zoho Projects and the receiving application).
- If the webhook content has been tampered with along the way.
Why secure Webhooks?
Webhooks are HTTP requests of one application to provide real-time data to another application. In a security attack, the attackers can easily impersonate legitimate providers by sending fraudulent webhooks and extracting sensitive data. Therefore, webhooks need to be secure so that your app only listens to real events from trusted sources and doesn’t get tricked by fake or harmful requests.
Benefits:
- Avoid wrong data in reports
- Avoid unauthorized updates
- Avoid security breaches
Enable Webhook security
Users can enable webhook security setting while adding or editing a webhook.
- Go to Settings > Automation/ Issue Tracker > Webhooks.
- For new webhooks, fill in the details in the webhook form and toggle Security Settings. For existing webhooks, select the webhook where you want to enable security.
- Enter the HMAC key. Users can also generate HMAC key by clicking on Generate.
- Click Save.
HMAC key length should be between 16 to 128 characters long.
How does webhook security work in Zoho Projects?
When a webhook is sent from Zoho Projects, an HMAC signature is included in the request headers with the name X-ZP-WEBHOOK-SIGNATURE. Upon receiving the webhook request, the receiving application will generate a HMAC signature using the same secret key and compare the results with the value present in the request header. If the value matches, the data is legitimate; otherwise, the data has been tampered with.
Generating a HMAC signature
Zoho Projects calculates the signature of the webhook payload using the HMAC-SHA256 algorithm, and the result is sent in base64 format in the request header. Here is the explanation with sample data:
payload | {{"requests":{"request_name":"Test Name"},"notifications": {"operation_type":"RequestSigningSuccess"}} |
secret_key | thisisthesamplekeyfortestingpurposes |
base64encode(HMAC SHA-256(payload+secret_key)) | drbSrM4H816RYKpZiRBLddUa0yHaTrwjtY04sIZFZus= |
Here is an image of how webhook request header(HMAC header) look like:
Verifying HMAC signature in the receiving application
- You must read the payload as a string to avoid reordering keys when read in JSON format.
- Compute HMAC SHA-256 hash of the payload using the secret key and base64 encode the result.
- Compare the value obtained from step 2 and the received HMAC header (X-ZP-WEBHOOK-SIGNATURE) value. If there is a mismatch, reject the webhook request.
A sample of Java code snippet to verify the HMAC signature:
Access your files securely from anywhere
Zoho CRM Training Programs
Learn how to use the best tools for sales force automation and better customer engagement from Zoho's implementation specialists.
Zoho DataPrep Personalized Demo
If you'd like a personalized walk-through of our data preparation tool, please request a demo and we'll be happy to show you how to get the best out of Zoho DataPrep.
- Zoho Workerly Home
- Forums
- Connect With Us:
- Zoho Recruit Home
- Forums
- Connect With Us:
New to Zoho Writer?
Create. Review. Publish.
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho Marketing Plus?
Everything you need to run your marketing
New to Zoho Marketing Plus?
Everything you need to run your marketing
You are currently viewing the help pages of Qntrl’s earlier version. Click here to view our latest version—Qntrl 3.0's help articles.
New to Zoho Survey?
Zoho Sheet Resources
Zoho Forms Resources
New to Zoho Sign?
Zoho Sign Resources
Sign, Paperless!
New to Zoho TeamInbox?
Zoho TeamInbox Resources
New to Zoho ZeptoMail?
Design. Discuss. Deliver.
New to Zoho Workerly?
New to Zoho Recruit?
New to Zoho CRM?
New to Zoho Projects?
New to Zoho Sprints?
New to Zoho Assist?
New to Bigin?
Related Articles
ウェブフックセキュリティ:HMAC署名
お知らせ:当社は、お客様により充実したサポート情報を迅速に提供するため、本ページのコンテンツは機械翻訳を用いて日本語に翻訳しています。正確かつ最新のサポート情報をご覧いただくには、本内容の英語版を参照してください。 プロジェクト、タスク、課題のWebhookをHMAC-SHA 256(SHA 256を用いたハッシュベースのメッセージ認証コード)で保護します。Zoho Projectsでは、Webhookの認証性と完全性を確保・維持するための業界スタンダードなハッシュ機構であるHMAC-SHA ...Webhook
Webhookは、 Zoho Projects から他社アプリへの自動化HTTP通知を容易にする開発者向け機能です。Webhookを使用して、自分のHTTP URLを設定して、個別の業務ルールに関連付けることで、課題に関連するすべての通知やデータ送信処理を自動化できます。Webhookについての詳細は、 WebHooks.org をご参照ください。 利用条件:エンタープライズプラン(最新) Webhookの設定 画面右上の アイコンをクリックします。 [課題管理]→[Webhook] ...Webhook for Users
Webhooks enable you to send automated HTTP notifications to third-party applications. Webhooks transmit real-time data from one application to another when an event or trigger occurs. You can define your own HTTP URLs and associate them with workflow ...タスクのWebhook
Webhookを設定すると、Zoho Projectsから外部サービスのアプリケーション宛てにインターネットを通じて自動でデータを送信することができます。Webhookは、アプリケーション内で特定の処理が行われた際に別のアプリケーションに対してリアルタイムでデータを送信するための機能です。Webhookの機能の利用することで、Zoho ...ユーザー向けWebhook
お知らせ:当社は、お客様により充実したサポート情報を迅速に提供するため、本ページのコンテンツは機械翻訳を用いて日本語に翻訳しています。正確かつ最新のサポート情報をご覧いただくには、本内容の英語版を参照してください。 Webhook を有効にすると、自動化された HTTP 通知をサードパーティアプリケーションへ送信できます。Webhook は、イベントやトリガーが発生した際に、あるアプリケーションから別のアプリケーションへリアルタイムのデータを転送します。独自の HTTP URL ...
New to Zoho LandingPage?
Zoho LandingPage Resources