Securing HTTP Endpoints

This is important because your response to HTTP webhook requests will contain information that must be kept private between you and the jambonz platform. We recommend that you use HTTPS connections secured with TLS certificates for your endpoints, and that you additionally takes steps to verify that the incoming request was actually sent by jambonz, and not an imposter.

For the latter, you have two options:

  • You can use HTTP basic authentication to secure your endpoint with a username and password.
  • On the hosted platform, you can verify the signature of the HTTP request to know that it was sent by jambonz.

Verifying a signed request

The HTTP requests sent to you from the hosted platform will include a Jambonz-Signature header, which is a hash of the request payload signed with your webhook secret, which you can view (and when desired, change) in the self-service portal. Using that secret, you can verify that the request was actually sent by jambonz.

When using the Node.js SDK, this is done simply as http middleware.

1const express = require('express');
2const app = express();
3const {WebhookResponse} = require('@jambonz/node-client');
4
5
6app.use(WebhookResponse.verifyJambonzSignature('<your-webhook-secret>'));
7app.use('/', routes); /* only requests with valid signatures will get here */