Verify Events
There are two ways to ensure events you receive are from Dojah.
- IP Whitelisting
- Signature validation
IP Whitelisting
With this method, you only allow certain IP addresses to access your webhook URL while blocking out others. Dojah will only send webhooks from these IP addresses:
- 18.117.209.2 , 3.137.39.253
Signature Validation
Events sent from Dojah carry the x-dojah-signature header. The value of this header is a HMAC SHA256 signature of the event payload signed using your secret key. Verifying the header signature should be done before processing the event:
var crypto = require('crypto');
var secret = process.env.SECRET_KEY;
// Using Express
app.post("/webhookurl", function(req, res) {
//validate event
const hash = crypto.createHmac('sha256', secret).update(JSON.stringify(req.body)).digest('hex');
if (hash == req.headers['x-dojah-signature']) {
// Retrieve the request's body
const event = req.body;
// Do something with event
}
res.send(200);
});
<?php
if (strtoupper($_SERVER['REQUEST_METHOD']) == 'POST' && array_key_exists('x-dojah-signature', $_SERVER)) {
//get the request body
$input = @file_get_contents("php://input");
define('DOJAH_SECRET_KEY', 'SECRET_KEY');
//validate request
if ($_SERVER['HTTP_X_DOJAH_SIGNATURE'] === hash_hmac('sha256', $input, DOJAH_SECRET_KEY)) {
http_response_code(200);
//parse event
$event = json_decode($input);
}
}
exit();
?>
Updated 7 months ago