Why: Even if the communication is over HTTPS which implies security, our tenants are asking about how can they check if the request is coming from Mambu. On the developer.mambu.com we are advising to make use of a static cryptographic nonce added in the payload. This is the same(static) for the entire set of requests for a specific web hook. The approach is ok as long as the nonce is not intercepted and used for impersonation. The second approach to check Mambu's identity as a sender is to base the check on the outbound static IP used by Mambu to send external requests. This travels in the request. But gets changed from an environment to another and might change in the future, at that moment we will have to notify our tenants to white list again and amend the implementation which may be disruptive for their business.
Assures content consistency and the identity of the parties involved in the communication based on static shared keys and dynamic irreversible generated values.
How: Similar with what we have on install stage of Mambu Apps. Set a key which can be used to sign the request. This will be shared between systems. Request signing should be optional not a default.
This aspect has been slightly touched in https://mambu.aha.io/features/APP-184
Verify a Webhook
Each Webhook request includes a X-PhraseApp-Signature header which is generated using your app’s shared secret, along with the data sent in the request.
You can verify that the request originated from PhraseApp by computing the HMAC digest of the request body and comparing it to the value in the X-PhraseApp-Signature header.
Impact: This along with the header management feature (https://mambu.aha.io/features/APP-412) will make web hooks trusted and capable to be used in various integration scenarios. Integration capabilities are highly leveraged with this.