Authorisation and Configuration

To make calls to your webhook, updatedge uses HMAC authorisation. This ensures that any calls to your publicly exposed endpoints originate from updatedge and not a malicious actor.

Two elements are required:

A Timestamp header with the UTC time of when the request is made.
An Authorization header which should be a SHA256 hash of the timestamp and the shared secret appended together.
Copy

#Security Considerations

Your webhook implementation should ensure that the Timestamp is within a valid period (perhaps 5 minutes) to prevent replay attacks if the request is intercepted.

If the Timestamp is within the accepted period, the API should then generate a SHA256 hash of the timestamp using the shared secret. If the digest matches the value in the header then the request is to be considered authorised.

#Setup

To configure updatedge to make calls to your webhooks, you need to specify your API Base URL on the portal using the administrator account for your company. Go to your profile page and find the company section to set the following properties.

#Implementation

A request to

GET /contact-suggestions
Copy

will pass the following headers:

#Example Validation (C#)

var timestamp = Request.Headers["Timestamp"]
var authorisation = Request.Headers["Authorization"]; 
if (string.IsNullOrEmpty(timestamp) || 
   string.IsNullOrEmpty(authorisation))        
   return false; 
if (!DateTime.TryParse(timestamp, out DateTime value) || 
    value < DateTime.UtcNow.AddMinutes(-5))        
    return false; 
// Timestamp not within accepted period - prevent replay attacks 
var incomingDigest = authorisation.Split(" ")[1]; 
var calculatedDigest = GenerateSha256Hash(timestamp, SHARED_SECRET); 
return calculatedDigest = incomingDigest;
Copy

An example of an ActionFilterAttribute to decorate endpoints is also available.