Webhook Security and Signatures
Overview
Webhook security helps the receiving system verify that the request came from your RISE CRM installation.
Example headers
Content-Type: application/json
X-RLP-Signature: sha256=GENERATED_SIGNATURE
X-RLP-Timestamp: 1779000000Verification concept
expected = HMAC_SHA256(timestamp + "." + raw_body, webhook_secret)
if expected != received_signature:
reject_request()Security rules
- Use HTTPS only.
- Configure a webhook secret if supported.
- Reject invalid signatures.
- Reject old timestamps to reduce replay attacks.
- Rotate secrets if exposed.
Important
Use the exact signature algorithm implemented by your plugin version. The example explains the concept.
