It is important for any application to verify that the webhook it received indeed originated from the actual source. To enable the client applications to verify the originality of Donorbox webhooks, Donorbox includes a special header
Donorbox-Signature in each webhook notification. The value in this header contains a timestamp and a signature that can be verified. The timestamp and signature are separated by a comma as shown in the below example:
This signature is signed using Signature Secret which is a uniquely generated string for each webhook endpoint. To fetch the Signature Secret of your custom webhook endpoint, navigate to "Integrations & Addons", and click on one of the records under the "CustomWebhooks" section to access its details page. On the custom webhook details page, you will see the "Signature Secret" key as shown below. Make sure to copy this and store it in a secured place.
Now that you know where to find the signature secret for your webhook endpoint, follow these steps to validate the signature received in the request header when Donorbox notifies the endpoint URL:
1. Extract the timestamp and signatures from the header
Split the header using the
, character as the separator. The first part of the header string represents the timestamp, and the second part represents the signature.
2. Generate a string by concatenating the timestamp, the character
. and the request body
3. Determine the expected signature by computing an HMAC with the SHA256 hash function. Use the endpoint's
Signature Secret as the key, and the string generated in the previous step as the message.
4. Validate the request
- Compare the signature in the header to ensure it matches the expected signature. Reject the request if it doesn't match.
- And also compare the difference between the received timestamp and the current timestamp. One can expect the received timestamp to be not older than 30 seconds or a minute.