It’s very important to confirm that requests received on your webhook are sent from Leaf, to avoid IP spoofing attacks. To this end, you should verify webhook signatures.
Leaf generates signatures using a hash-based message authentication code (HMAC) with SHA-256, and the secret specified when you created the alerts' configuration as the HMAC key. Be careful with deserialization of the request body when using it to verify the signature. It's recommended that you get the request body as bytes. The signed content has no line breaks and spaces after symbols, it's a string of the raw JSON with white-spaces after “:” and “,”.
The digest is added to the X-Leaf-Signature header encoded in base 64.
Here is an example on how to verify the request in your webhook:
alert_payload corresponds to the payload of the alerts.
For example, if you need to authenticate a created field, the
alert_payload will be: