Secure your webhooks
Once you’ve created webhooks from the dashboard, please keep in mind you need to secure them, in order to avoid any vulnerability in your system.
Whitelist our IP address
The first thing to do is to whitelist our IP addresses to make sure nobody else than us can call your urls. We will always call your callback URL from the same IP addresses:
Test environment :
15.236.169.32
Production environment :
15.236.169.164
35.180.249.12
Use the
X-Forwarded-For
header to get the source IP.
Use the provided secret to check the signatures
Webhooks Signature
When a webhook is created, a secret is automatically generated for all your application. This secret will be used to sign every event that will be sent to your endpoint. You can find the secret on your developer portal.
Check the webhook signatures
Check the events that we send to your webhook endpoints. We sign the events by including a signature in each event's x-lifen-platform-signature
header. This allows you to verify that the events were sent by Lifen, not by a third party.
Example:
x-lifen-platform-signature
: 9b329e633efebd025273e6b539a59a57ad954c90a8fdea4e8e070430d2de4880
We generate signatures using a hash-based message authentication code (HMAC) with SHA-256.
Step 1: Extract the signatures from the header
Step 2: Determine the expected signature - Compute an HMAC with the SHA256 hash function. Use the endpoint’s signing secret as the key, and use the received event, in the string format, as the message.
Step 3: Compare the signatures - Compare the signature (or signatures) in the header to the expected signature.
Signature verification: examples
In the following examples, SECRET
is the secret of your signature and PAYLOAD
is the whole body sent by the webhook. If you try these examples with the following values:
SECRET = “644b2ac3-0797-4ec6-9537-cb5c0af9caf9”
PAYLOAD = {
"notification-uuid": "776b3f5d-a942-492c-9ea7-2e5aa88cb564",
"events" : [{
"event-details": {
"new-patient": "Patient/22908770",
"old-patient": "Patient/34535354"
},
"event-uuid": "766b2f5d-a942-492c-9ea7-2e5aa88cb673",
"timestamp": "2020-03-18T16:03:38.000+00:00"
}]
}
You should obtain : FAA8ECAC21DA6405D789C76EDB4003756398E7169DACC3FA70CF5919A81374A8
See this code example to get this result:
var crypto = require('crypto');
var hash = crypto.createHmac('SHA256', SECRET).update(PAYLOAD).digest('hex');
console.log(hash.toUpperCase());
Updated over 1 year ago