Request Verification

How does webhook request verification work?

When you’ve configured a WebhookSigningSecret in the webhook settings of your space, a signature will be generated for all webhook requests coming from events in that space. When a consuming service receives a request, it can compute a signature in the same way. If the secret is the same, the signatures will match too, thus verifying that the sender knows the secret. For this reason, it is also important to not share the secret with any third party.

This signature and some additional metadata is then added to the headers of the request before it is sent. The headers look like this:

Consuming services can use these headers to verify the authenticity and integrity of incoming webhooks. See verifyRequest in node-apps-toolkit for more information.

Get started with Webhook Request Verification

Establishing a signing secret

A signing secret can be generated in the settings tab of the webhook settings page within a space. Click on Enable request verification in this tab, and a signing secret will be generated.

1. Go to the space that you want to enable request verification on webhooks.
2. Click Settings -> Webhooks.
3. Once on the Webhooks space settings page, click on the “Settings” tab.
4. Click the Enable request verification button to create the signing secret.
5. Copy the generated siging secret. You will not be able to copy it again once you navigate away from this view.

You can also manage secrets directly using the Content Management API (CMA). Visit the API documentation for details on how to manage the signing secret by using the API.

Once request verification has been enabled, all of the webhooks in the space will include signed request headers which can be used to verify their authenticity and integrity.

Verifying requests on the backend

Now that requests from your app contain the additional signature headers, your backend can start to enforce signed requests. The following is an example server in Node.js using the Express framework:

1
const express = require('express');
2
const { verifyRequest } = require('@contentful/node-apps-toolkit');
3
const app = express();
4
app.use(
5
  express.json({
6
    type: ['application/json', 'application/vnd.contentful.management.v1+json'],
7
  })
8
);
9
10
// This is the secret key that was generated by you or Contentful.
11
// Note: it is not best practice to hardcode secret keys into code.
12
// We are doing it here for demonstration purposes only. Preferably
13
// it should come from an environment variable or a file.
14
const secret = 'your-64-char-secret';
15
16
// This can be the endpoint configured to be called for webhook events
17
app.post('/webhook-event-handler', (req, res) => {
18
  const canonicalRequest = {
19
    path: req.path,
20
    headers: req.headers,
21
    method: req.method,
22
    body: JSON.stringify(req.body),
23
  };
24
  try {
25
    const isValid = verifyRequest(secret, canonicalRequest);
26
    if (!isValid) {
27
      res.status(403).send('Unauthorized');
28
    }
29
  } catch (e) {
30
    console.error(e);
31
    res.status(403).send('Unauthorized');
32
  }
33
34
  // ... rest of handler code
35
});
36
37
const port = 9000;
38
app.listen(port, () =>
39
  console.log(`App listening at http://localhost:${port}`)
40
);

This example uses node-apps-toolkit, which contains tools to create app backends in Node.js. The verifyRequest function will try to sign the contents of the incoming request and then compare them to the meta-information contained in the signing headers. The function will throw an error if the incoming request is shaped incorrectly or is older than the specified time-to-live (TTL). You can pass the TTL in seconds as an additional argument, or disable it by passing 0. If nothing is passed, the TTL will be 30 seconds. The documentation for node-apps-toolkit contains more detailed information on the signing and verification process.

Key rotation

Changing your secret while you are already enforcing secure requests requires some additional steps. This is because changing the secret on either side will cause verification to fail until the other side has been updated too. We can get around this by verifying against multiple secrets simultaneously in the backend. The process looks like this:

1. Generate a new secret
2. Verify requests against both the old and the new secret in your backend
3. Submit the new secret to Contentful using the web app or the API, causing further requests to be signed with the new key
4. Remove support for the old key from your backend

The following sections will go into detail on how to generate a secret and how to add support for multiple secrets in an backend.

Creating a secret

There are two constraints on the secret:

1. It must be exactly 64 characters long.
2. It must match this regular expression: /^[0-9a-zA-Z+/=_-]+$/. This also means secrets using the hex or base64 character set are allowed.

To make full use of the security provided by secure requests, we recommend using cyptographic random number generators with high entropy to generate a secret. Here are some examples for how to do this using different languages and tools. All examples can be run on the command line:

$
# Node.js >6.0
$
node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
$
# Ruby
$
ruby -rsecurerandom -e 'puts SecureRandom.hex(32)'
$
# Python >3.6
$
python3 -c "from secrets import token_hex;print(token_hex(32))"
$
# OpenSSL
$
openssl rand -hex 32

Verify requests against multiple secrets

To properly test against multiple secrets, an attempt to verify the incoming request has to be made separately for each secret, as the request should only be rejected if none of the secrets can verify the request. The following is an example in Node.js using the Express framework:

1
const express = require('express');
2
const { verifyRequest } = require('@contentful/node-apps-toolkit');
3
const app = express();
4
app.use(
5
  express.json({
6
    type: ['application/json', 'application/vnd.contentful.management.v1+json'],
7
  })
8
);
9
10
// List multiple secrets, both the new and soon-to-be-disabled ones.
11
// Note: it is not best practice to hardcode secret keys into code.
12
// We are doing it here for demonstration purposes only. Preferably
13
// they should come from an environment variable or a file.
14
const secrets = ['old-64-char-secret', 'new-64-char-secret'];
15
16
app.post('/webhook-event-handler', (req, res) => {
17
  const canonicalRequest = {
18
    path: req.path,
19
    headers: req.headers,
20
    method: req.method,
21
    body: JSON.stringify(req.body),
22
  };
23
  try {
24
    const isValid = secrets.some((secret) =>
25
      verifyRequest(secret, canonicalRequest)
26
    );
27
    if (!isValid) {
28
      res.status(403).send('Unauthorized');
29
    }
30
  } catch (e) {
31
    console.error(e);
32
    res.status(403).send('Unauthorized');
33
  }
34
35
  // ... rest of handler code
36
});
37
38
const port = 9000;
39
app.listen(port, () =>
40
  console.log(`App listening at http://localhost:${port}`)
41
);

Verifying a signature

A working JavaScript implementation of signature verification can be found in the node-apps-toolkit. Additional working examples in C++, C#, Elixir, Go, Java, Kotlin, PHP, Python, Ruby, and Rust can be found in the request-verification-examples repository. If you need to verify a request in another programming language, you can use this pseudocode example of how signed requests can be verified as the basis for your implementation:

1
// The signing function takes a signing key and the request to be signed
2
function verifyRequest(signingKey, request) {
3
  // The signature, which we will be verifying the request against
4
  signature = getHeader('x-contentful-signature', request.headers)
5
6
  // The time when the request was signed, which can be used for a TTL check
7
  timestamp = getHeader('x-contentful-timestamp', request.headers)
8
  oneMinute = 60 * 1000
9
  if (Number(timestamp) + oneMinute < currentUnixTimeInMilliseconds) {
10
    return false
11
  }
12
13
  // one of GET, PUT, POST, DELETE etc.
14
  requestMethod = request.method
15
16
  // The request path excluding protocol, hostname, and port.
17
  // Any query strings should be url encoded, and the entire path
18
  // should be utf-8 encoded.
19
  [basePath, query] = request.path.split('?')
20
  query = urlEncode(query)
21
  requestPath = utf8Encode(query ? basePath + '?' + query : basePath)
22
23
  // The headers which have been signed
24
  signedHeaders = getHeader('x-contentful-signed-headers', request.headers)
25
26
  // The headers should be converted to lower case, and joined in a semicolon
27
  // separated list. The list should maintain the ordering from
28
  // 'x-contentful-signed-headers'
29
  requestHeaders = []
30
  for (headerName in signedHeaders.split(',')) {
31
    headerValue = getHeader(headerName, request.headers)
32
33
    requestHeaders.push(headerName.toLowerCase() + ':' + headerValue)
34
  }
35
  requestHeaders = requestHeaders.join(';')
36
37
  // The request body, exactly as it is in the HTTP body
38
  requestBody = request.body
39
40
  // The method, path, headers, and request body joined in a newline separated string
41
  canonicalRequestRepresentation = [
42
    requestMethod,
43
    requestPath,
44
    requestHeaders,
45
    requestBody
46
  ].join('\n')
47
48
  // HMAC_SHA256 hash digested as an hexadecimal string
49
  signature = createSignature(canonicalRequestRepresentation, signingKey)
50
51
  // We can now test for equality of the requestSignature, and the signature we
52
  // have generated and return the result
53
  return signature === requestSignature
54
}

Feedback

Our Developer Experience team highly welcomes feedback for all our features. To share your feedback, you can fill in this form.