Verifying Webhooks

to validate a webhook came from mailfloss we suggest verifying the webhook payloads with the x request signature header (which we pass with every webhook that has a webhook secret) if you did not add a webhook secret then this header is not included in the payload you can add or modify the webhook secret at anytime inside of the mailfloss app by editing the corresponding webhook the x request signature header is a sha1 hmac hexdigest computed with the webhook secret and the raw body of the request an example in javascript with a webhook secret of "my little pony" is posted below if (headers\['x request signature']) { const crypto = require('crypto'); const text = json stringify(request body); const key = "my little pony"; const hash = crypto createhmac('sha1', key) update(text) digest('hex'); if (hash === headers\['x request signature']) { console log('match'); } else { console log('no match'); } }