Table of Contents
- Introduction
- Use cases
- Token validation
- IP address whitelist
- Signature validation
Introduction
Alumio allows you to receive any webhook events triggered by external systems. It will result in a URL that will listen to HTTP requests publicly. Since it’s publicly available, of course, you don’t want the endpoints to receive unexpected requests from unknown sources.
To prevent such an occasion, you should add security layer(s) to the endpoints. Alumio offers a feature called pre-precessors in a webhook configuration that will validate a request before it is processed. The common use cases for webhook security are below.
- Token-based validation
- IP address whitelist
- Signature validation
Alumio offers a feature called pre-precessors in a webhook configuration that will validate the request before it is processed.
Use cases
Token validation
In some systems, you can configure them to include a token in the webhooks they send, either you put the token in the request header, query (URI) parameter, or payload.
If the system includes the token in a header, you can configure the pre-processor using the validator “Validate that header matches pattern” such as below.
If the system includes the token in a query parameter, configure the webhook pre-processed using the validator “HTTP request URI matcher” with filter “URI Query String matcher”.
In case the token is in payload, you can configure it using the validator “Validate message body”
IP address whitelist
If you have a list of IP addresses of the external system that will send webhooks to Alumio, you can add them to the whitelist. Therefore, you can make sure that the requests are valid to process.
For example, you are sure that the HTTP requests from your external system come from IP addresses X.X.X.X and Y.Y.Y.Y. You can configure the pre-processor in your webhook configuration, such as below.
Signature validation
This approach is explained in another article: How to validate webhook requests using signatures.