LiquidPlanner Classic Forum

Ask a Question
Back to All

Webhook authentication & verification of source

Posted on behalf of Alex Willisson. Original posting date 2015-05-05.

I'm building a system where a webhook phones home to a CGI script on my server, which does some more complicated work. In the script, I need to verify that the POST request is from a LP webhook and not someone masquerading as one. Is there anything in what a webhook sends to my server that can let me verify that it is actually an official LiquidPlanner webhook, and not someone pretending to be one?

I have all sorts of juicy details about the SSL connection, remote IP, json from webhook, etc. Nothing's standing out to me as a good way to verify who the client is. My fallback plan is to use the webhook as a trigger to check in what the actual state of the LP object is, but I'd prefer to use the webhook itself.