HTTP Post (Webhook) Security Settings

MailMunch allows you to secure the incoming webhook request to your api endpoint by using a combination of your secret key and the request's timestamp.

In order to secure your requests, edit your HTTP Post integration in your optin form's edit flow and enter a secret key:

 

Once you've entered the secret key, all future webhook requests will contain the following two headers:

  • X-Mailmunch-Time: Unix epoch
  • Authorization: SHA256 hash of your secret key and timestamp encoded with base64.

The timestamp used for matching the authorization key should match with the timestamp in the X-MailMunch-Time header. 

Here's a PHP code snippet to verify a secure request.

 

function is_secure_request() {
    $headers = getallheaders();
    $time = $headers['X-Mailmunch-Time'];
    $authorization = isset($headers['Authorization']) ? $headers['Authorization'] : null;
    if (empty($authorization)) return false;

    list($algo, $hash) = explode(' ', $authorization);
    $key = '#tToArng8YPJ4R'; // Replace with your own key

    return hash('sha256', $key . $time, true) == base64_decode($hash);
}

if (is_secure_request()) {
    // process contact
}

 

```

```

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Article is closed for comments.