Security
HookSniff uses industry-standard security practices to protect webhook deliveries. Every webhook is signed, encrypted in transit, and verified before processing.
HMAC-SHA256 Signature Verification
Every webhook includes a cryptographic signature computed with HMAC-SHA256. This proves the webhook came from HookSniff and wasn't tampered with.
HookSniff follows the Standard Webhooks specification — the same standard used by Svix, Clerk, and other webhook providers.
Headers
Each delivery includes three headers:
| Header | Headers |
|---|---|
| webhook-id | Unique message ID (e.g., msg_abc123) |
| webhook-timestamp | Unix timestamp. Reject if older than 5 minutes. |
| webhook-signature | Space-separated v1, signatures |
Algorithm
signed_content = "{webhook-id}.{webhook-timestamp}.{body}"
signature = "v1," + base64(hmac_sha256(secret, signed_content))Verify with SDKs
All HookSniff SDKs handle verification automatically:
// Node.js
import { Webhook } from 'hooksniff';
const wh = new Webhook('whsec_your_secret');
const payload = wh.verify(req.body, {
'webhook-id': req.headers['webhook-id'],
'webhook-timestamp': req.headers['webhook-timestamp'],
'webhook-signature': req.headers['webhook-signature'],
});
# Python
from hooksniff import Webhook
wh = Webhook("whsec_your_secret")
payload = wh.verify(request.data, dict(request.headers))
// Go
wh, _ := hooksniff.NewWebhook("whsec_your_secret")
payload, err := wh.Verify(r.Body, r.Header)See Webhook Verification Guide for all 11 languages.
SSRF Protection
HookSniff blocks webhook delivery to private/internal IP addresses to prevent Server-Side Request Forgery (SSRF) attacks.
| Blocked | Examples |
|---|---|
| Private IPs | 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 |
| Loopback | 127.0.0.1, ::1, localhost |
| Metadata endpoints | 169.254.169.254 (AWS/GCP/Azure metadata) |
| DNS rebinding | Resolved at delivery time, not registration time |
TLS Enforcement
All webhook deliveries use HTTPS. HookSniff refuses to deliver to HTTP endpoints (except localhost for development).
- TLS 1.2+ required
- Certificate validation enforced
- HTTP endpoints rejected with endpoint_url_not_https error
Two-Factor Authentication (2FA)
Protect your HookSniff account with TOTP-based 2FA:
# Enable 2FA
curl -X POST https://hooksniff-api-1046140057667.europe-west1.run.app/v1/auth/2fa/enable \
-H "Authorization: Bearer hr_live_YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{"password": "your_password"}'
# Returns QR code URL for your authenticator appAPI Key Security
Use environment variables
Never hardcode API keys. Use env vars or secrets managers.
Rotate keys periodically
Rotate API keys from Settings → API Keys → Rotate.
Use separate keys per environment
Different keys for development, staging, and production.
Scope keys to minimum permissions
Create read-only keys for monitoring, write keys for sending.
Never commit keys to version control
Add .env to .gitignore. Use secrets managers in CI/CD.
Never expose keys in client-side code
API keys belong on your server, not in browser JavaScript.
Security Incident Response
If you suspect a security issue:
- Rotate your API key immediately — Settings → API Keys → Rotate
- Rotate endpoint signing secrets — Endpoints → Select → Rotate Secret
- Check audit log — Settings → Audit Log for suspicious activity
- Contact support — security@hooksniff.vercel.app