Webhook Security: HMAC signature
Secure your project's, task's, and issue's webhooks with HMAC-SHA 256 (Hash-Based Message Authentication Codes with SHA 256). Zoho Projects has the option to secure webhooks using HMAC-SHA 256, an industry standard hashing mechanism to ensure and maintain the authenticity and integrity of webhooks.
HMAC helps check:
- If the webhook request has been sent from Zoho Projects (The secret key must be known only to Zoho Projects and the receiving application).
- If the webhook content has been tampered with along the way.
Why secure Webhooks?
Webhooks are HTTP requests of one application to provide real-time data to another application. In a security attack, the attackers can easily impersonate legitimate providers by sending fraudulent webhooks and extracting sensitive data. Therefore, webhooks need to be secure so that your app only listens to real events from trusted sources and doesn’t get tricked by fake or harmful requests.
Benefits:
- Avoid wrong data in reports
- Avoid unauthorized updates
- Avoid security breaches
Enable Webhook security
Users can enable webhook security setting while adding or editing a webhook.
- Go to Settings > Automation/ Issue Tracker > Webhooks.
- For new webhooks, fill in the details in the webhook form and toggle Security Settings. For existing webhooks, select the webhook where you want to enable security.
- Enter the HMAC key. Users can also generate HMAC key by clicking on Generate.
- Click Save.
HMAC key length should be between 16 to 128 characters long.
How does webhook security work in Zoho Projects?
When a webhook is sent from Zoho Projects, an HMAC signature is included in the request headers with the name X-ZP-WEBHOOK-SIGNATURE. Upon receiving the webhook request, the receiving application will generate a HMAC signature using the same secret key and compare the results with the value present in the request header. If the value matches, the data is legitimate; otherwise, the data has been tampered with.
Generating a HMAC signature
Zoho Projects calculates the signature of the webhook payload using the HMAC-SHA256 algorithm, and the result is sent in base64 format in the request header. Here is the explanation with sample data:
payload | {{"requests":{"request_name":"Test Name"},"notifications": {"operation_type":"RequestSigningSuccess"}} |
secret_key | thisisthesamplekeyfortestingpurposes |
base64encode(HMAC SHA-256(payload+secret_key)) | drbSrM4H816RYKpZiRBLddUa0yHaTrwjtY04sIZFZus= |
Here is an image of how webhook request header(HMAC header) look like:
Verifying HMAC signature in the receiving application
- You must read the payload as a string to avoid reordering keys when read in JSON format.
- Compute HMAC SHA-256 hash of the payload using the secret key and base64 encode the result.
- Compare the value obtained from step 2 and the received HMAC header (X-ZP-WEBHOOK-SIGNATURE) value. If there is a mismatch, reject the webhook request.
A sample of Java code snippet to verify the HMAC signature:
Access your files securely from anywhere
Zoho CRM Training Programs
Learn how to use the best tools for sales force automation and better customer engagement from Zoho's implementation specialists.
Zoho DataPrep Personalized Demo
If you'd like a personalized walk-through of our data preparation tool, please request a demo and we'll be happy to show you how to get the best out of Zoho DataPrep.
- Zoho Workerly Home
- Forums
- Connect With Us:
- Zoho Recruit Home
- Forums
- Connect With Us:
New to Zoho Writer?
Create. Review. Publish.
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho Marketing Plus?
Everything you need to run your marketing
New to Zoho Marketing Plus?
Everything you need to run your marketing
You are currently viewing the help pages of Qntrl’s earlier version. Click here to view our latest version—Qntrl 3.0's help articles.
New to Zoho Survey?
Zoho Sheet Resources
Zoho Forms Resources
New to Zoho Sign?
Zoho Sign Resources
Sign, Paperless!
New to Zoho TeamInbox?
Zoho TeamInbox Resources
New to Zoho ZeptoMail?
Design. Discuss. Deliver.
New to Zoho Workerly?
New to Zoho Recruit?
New to Zoho CRM?
New to Zoho Projects?
New to Zoho Sprints?
New to Zoho Assist?
New to Bigin?
Related Articles
Zoho Vault for Zoho Projects
Zoho Vault is an online password manager for teams. If you are struggling with remembering numerous passwords, Zoho Vault can keep them safe for you. It helps to store, share, and manage your passwords from anywhere. Zoho Vault is the best way to ...Webhooks for Tasks
Webhooks facilitate automated HTTP notifications to third party applications from Zoho Projects. Webhooks allow you to send real-time data from one application to another whenever an event occurs. Using Webhooks, you can configure your own HTTP URLs ...Github Integration
Github integration allows you to host your repositories, see source commits, and make code changes. And so, now you can view all the changes made in your Github repository in Zoho Projects. Feature Availability: Premium and Enterprise plans Copy ...Bitbucket Integration
Having multiple lines of code and changing versions can be difficult to track. Commit codes in Bitbucket and view the changesets inside Zoho Projects. You can integrate Zoho BugTracker with Bitbucket using webhooks. You must be an Admin to integrate ...Webhooks for Projects
Webhooks enable users to send automated HTTP notifications to third-party applications. Webhooks transmit real-time data from one application to another when an event or trigger occurs. You can define your own HTTP URLs and associate them with ...
New to Zoho LandingPage?
Zoho LandingPage Resources