Check for AfterShip's base64-encoded HMAC generated signature to verify all incoming webhook events to avoid replay attacks.

Webhooks includes a calculated digital signature for verification. Each webhook request includes a aftership-hmac-sha256 header. The signature is a base64-encoded HMAC generated using sha256 algorithm with webhook request body and webhook secret of your account.

Each webhook request could be verified by comparing the computed HMAC digest and the attached HMAC digest in header.

The following Node.JS example demonstrates the computation of a webhook signature.

const crypto = require('crypto');
const WEBHOOK_SECRET = "....."; // your webhook secret

function generateSignature(requestBodyString) {
    return crypto
        .createHmac('sha256', WEBHOOK_SECRET)
        .update(requestBodyString, 'utf8', 'hex')
        .digest('base64');
}

📘

Note

Webhook secret can be obtained by going to Settings > Notifications