Payload Signing
Every webhook HTTP request will contain two headers.
X-Braid-SecurityDigest is our calculation made using the secret key to hash a concatenation of the transmission timestamp and the body of the webhook.
X-Braid-OriginalTransmissionTime is the original timestamp which should not change if the webhook is retransmitted. This is the epoch timestamp in milliseconds.
The developer should perform their calculation using the HMAC-SHA256 algorithm and compare their result with the value in X-Braid-SecurityDigest.
Example
// `securityKey` is the key provided on webhook creation
String myDigest = computeHmacSha256(xBraidOriginTranTime + jsonEventBody, securityKey);
if(myDigest != xBraidSecurityDigest){
throw new SecurityException("Suspicious webhook detected!")
}