Webhook Security
Encryption
In keep with best practices, the DAS webhook API enforces the use of TLS v1.2 or later transport encryption. Earlier, deprecated TLS and SSL versions are rejected.
Authentication
Authentication is via a custom HTTP header containing an agreed shared secret, specific to a single webhook subscription.
Here “shared” means known specifically to DAS webhook servers, and customers’ individual webhook integration endpoints. Such tokens are never shared between customers.
The shared secret is opaque, but must be a valid HTTP Field Value. Typically, we recommend a string of at least 32
cryptographically secure random printable characters, such as: o8gUgxns1AlNFeYKGS4NlK3U6Q3kJfSY.
On Unix-like systems (Linux, MacOS, and Windows Subsystem for Linux), such strings can easily be generated via a
command like: pwgen -s 32 1
Authorisation
From the DAS system’s perspective, authorisation occurs at the time of subscription. Therefore, DAS webhook servers need only verify the customer endpoints’ TLS certificates against their registered host names.
The customer’s endpoint server may, having first authenticated the DAS client, perform their own additional authorisation steps, but this is beyond the scope of DAS systems.