About Webhooks
Webhooks can let your integrations take an action in response to events that occur on Harmonic IaaS.
Webhook security
We use the HMAC security technique. This means that you are going to get a header with a signature generated with the shared secret, to ensure your server only processes webhook deliveries that were sent by Harmonic and to ensure that the delivery was not tampered with.
Hash-based Message Authentication Code (HMAC)
When using HMAC security, each message sent from Harmonic to your endpoint includes a header which will contain the message body hashed with our shared secret using HMAC-SHA256.
After receiving the message containing the HMAC header values, your app must validate that they are authentic by re-creating them. If the message body hashed with the HMAC key (shared secret) matches the provided HMAC header value, you can verify that the message came from Harmonic.
Validating webhook deliveries
Harmonic will use the shared secret to create a hash signature that’s sent to you with each payload. The hash signature appears in each delivery as the value of the x-signature-256 header.
There are a few important things to keep in mind when validating webhook payloads:
Harmonic uses an HMAC hex digest to compute the hash.
The hash signature always starts with sha256=.
The hash signature is generated using shared secret and the payload contents.
If your language and server implementation specifies a character encoding, ensure that you handle the payload as UTF-8. Webhook payloads can contain unicode characters.
Never use a plain == operator. Instead consider using a method like secure_compare or crypto.timingSafeEqual, which performs a "constant time" string comparison to help mitigate certain timing attacks against regular equality operators, or regular loops in JIT-optimized languages.