Securing Webhook Endpoints
Validate a shared secret to protect your webhook endpoints from unauthorized requests
webhook security webhook secret NHOST_WEBHOOK_SECRET authentication headersProtect your webhook endpoints by validating a shared secret sent as an HTTP header. Configure the secret once, then check it in every handler.
Configuring the Header
Section titled “Configuring the Header”Navigate to the event trigger’s Additional Headers section and add a header:
Set the header name to nhost-webhook-secret and the value from the environment variable NHOST_WEBHOOK_SECRET.
headers: - name: nhost-webhook-secret value_from_env: NHOST_WEBHOOK_SECRETValidating in Your Handler
Section titled “Validating in Your Handler”import { createHash, timingSafeEqual } from 'node:crypto'import type { Request, Response } from 'express'
const hash = (value: string) => createHash('sha256').update(value).digest()
export default async (req: Request, res: Response) => { // Every event handler should validate the webhook secret const webhookSecret = req.headers['nhost-webhook-secret'] as string | undefined const expected = process.env.NHOST_WEBHOOK_SECRET if ( !webhookSecret || !expected || !timingSafeEqual(hash(webhookSecret), hash(expected)) ) { return res.status(401).json({ message: 'Unauthorized' }) }
// ... handler logic}Related resources
Section titled “Related resources”- Community Notifications — event trigger handler using this pattern
- Stale Todo Cleanup — cron trigger handler using this pattern
- Broadcast Notifications — one-off event handler using this pattern