undefined | Better HN

0 pointsihsw12y ago0 comments

Grooveshark does it as well.

http://developers.grooveshark.com/docs/public_api/v3/

However it depends on a shared secret for generating/verifying signatures, and some companies (cough Stripe cough) have yet to implement that. As someone else has already mentioned, thankfully each webhook request from Stripe has an ID in it so you can query their API for verifying a webhook's authenticity.

0 comments

1 comments · 1 top-level

baudehlo12y ago

If it's just a shared secret, why not just make a secret (and complicated) URL for the web hook? It's shared with the deliverer but as long as you're using SSL it should be just as secure.

Speaking of which, the right way to do this is to validate their SSL client certificate, but I doubt many places are easily setup to do that - in fact I would bet the sending endpoint doesn't even use a certificate most of the time.

j / k navigate · click thread line to collapse