Reformat #2849 content

Author: pwizla

docusaurus/docs/cms/backend-customization/webhooks.md

@@ -68,30 +68,105 @@ export default {
 </TabItem>
 </Tabs>
 
-## Securing your webhooks
+## Webhooks security
 
 Most of the time, webhooks make requests to public URLs, therefore it is possible that someone may find that URL and send it wrong information.
 
 To prevent this from happening you can send a header with an authentication token. Using the Admin panel you would have to do it for every webhook.
 
-:::tip Verify signatures
-In addition to auth headers, sign webhook payloads and verify signatures server‑side to prevent tampering and replay attacks.
+
+Another way is to define `defaultHeaders` to add to every webhook request.
+
+You can configure these global headers by updating the file at `./config/server`:
+
+<Tabs>
+
+<TabItem value="simple-token" label="Simple token">
+
+<Tabs groupId="js-ts">
+<TabItem value="js" label="JavaScript">
+
+```js title="./config/server.js"
+module.exports = {
+  webhooks: {
+    defaultHeaders: {
+      Authorization: "Bearer my-very-secured-token",
+    },
+  },
+};
+```
+
+</TabItem>
+
+<TabItem value="ts" label="TypeScript">
+
+```js title="./config/server.ts"
+export default {
+  webhooks: {
+    defaultHeaders: {
+      Authorization: "Bearer my-very-secured-token",
+    },
+  },
+};
+```
+
+</TabItem>
+</Tabs>
+
+</TabItem>
+
+<TabItem value="environment-variable" label="Environment variable">
+
+<Tabs groupId="js-ts">
+<TabItem value="js" label="JavaScript">
+
+```js title="./config/server.js"
+module.exports = {
+  webhooks: {
+    defaultHeaders: {
+      Authorization: `Bearer ${process.env.WEBHOOK_TOKEN}`,
+    },
+  },
+};
+```
+
+</TabItem>
+
+<TabItem value="ts" label="TypeScript">
+
+```js title="./config/server.ts"
+export default {
+  webhooks: {
+    defaultHeaders: {
+      Authorization: `Bearer ${process.env.WEBHOOK_TOKEN}`,
+    },
+  },
+};
+```
+
+</TabItem>
+</Tabs>
+
+</TabItem>
+
+</Tabs>
+
+If you are developing the webhook handler yourself you can now verify the token by reading the headers.
+
+### Verifying signatures
+
+In addition to auth headers, it's recommended to sign webhook payloads and verify signatures server‑side to prevent tampering and replay attacks. To do so, you can use the following guidelines:
 
 - Generate a shared secret and store it in environment variables
 - Have the sender compute an HMAC (e.g., SHA‑256) over the raw request body plus a timestamp
 - Send the signature (and timestamp) in headers (e.g., `X‑Webhook‑Signature`, `X‑Webhook‑Timestamp`)
 - On receipt, recompute the HMAC and compare using a constant‑time check
 - Reject if the signature is invalid or the timestamp is too old to mitigate replay
 
-Learn more:
-- <ExternalLink to="https://owasp.org/www-community/attacks/Replay_Attack" text="OWASP replay attacks" />,
-- <ExternalLink to="https://nodejs.org/api/crypto.html#class-hmac" text="Node.js HMAC" />.
-:::
-
 <details>
 <summary>Example: Verify HMAC signatures (Node.js)</summary>
 
-Here is a minimal Node.js middleware example (pseudo‑code) showing HMAC verification:
+Here is a minimal Node.js middleware example (pseudo‑code) showing <ExternalLink text="HMAC" to="https://nodejs.org/api/crypto.html#class-hmac" /> verification:
 
 <Tabs groupId="js-ts">
 <TabItem value="js" label="JavaScript">
@@ -161,91 +236,12 @@ export default (config: unknown, { strapi }: any) => {
 </TabItem>
 </Tabs>
 
-Additional external examples:
+Here a few additional external examples:
 - <ExternalLink to="https://docs.github.com/webhooks/using-webhooks/validating-webhook-deliveries" text="GitHub — Validating webhook deliveries" />
 - <ExternalLink to="https://stripe.com/docs/webhooks/signatures" text="Stripe — Verify webhook signatures" />
 <br />
 </details>
 
-
-Another way is to define `defaultHeaders` to add to every webhook request.
-
-You can configure these global headers by updating the file at `./config/server`:
-
-<Tabs>
-
-<TabItem value="simple-token" label="Simple token">
-
-<Tabs groupId="js-ts">
-<TabItem value="js" label="JavaScript">
-
-```js title="./config/server.js"
-module.exports = {
-  webhooks: {
-    defaultHeaders: {
-      Authorization: "Bearer my-very-secured-token",
-    },
-  },
-};
-```
-
-</TabItem>
-
-<TabItem value="ts" label="TypeScript">
-
-```js title="./config/server.ts"
-export default {
-  webhooks: {
-    defaultHeaders: {
-      Authorization: "Bearer my-very-secured-token",
-    },
-  },
-};
-```
-
-</TabItem>
-</Tabs>
-
-</TabItem>
-
-<TabItem value="environment-variable" label="Environment variable">
-
-<Tabs groupId="js-ts">
-<TabItem value="js" label="JavaScript">
-
-```js title="./config/server.js"
-module.exports = {
-  webhooks: {
-    defaultHeaders: {
-      Authorization: `Bearer ${process.env.WEBHOOK_TOKEN}`,
-    },
-  },
-};
-```
-
-</TabItem>
-
-<TabItem value="ts" label="TypeScript">
-
-```js title="./config/server.ts"
-export default {
-  webhooks: {
-    defaultHeaders: {
-      Authorization: `Bearer ${process.env.WEBHOOK_TOKEN}`,
-    },
-  },
-};
-```
-
-</TabItem>
-</Tabs>
-
-</TabItem>
-
-</Tabs>
-
-If you are developing the webhook handler yourself you can now verify the token by reading the headers.
-
 <!--- ### Usage
 
 To access the webhook configuration panel, go to `Settings` > `Webhooks`.

docusaurus/static/llms-code.txt

@@ -14104,9 +14104,68 @@ export default {
 
 
 ## Securing your webhooks
-Description: Here is a minimal Node.js middleware example (pseudo‑code) showing HMAC verification:
+Description: You can configure these global headers by updating the file at ./config/server:
 (Source: https://docs.strapi.io/cms/backend-customization/webhooks#securing-your-webhooks)
 
+Language: JavaScript
+File path: ./config/server.js
+
+```js
+module.exports = {
+  webhooks: {
+    defaultHeaders: {
+      Authorization: "Bearer my-very-secured-token",
+    },
+  },
+};
+```
+
+---
+Language: TypeScript
+File path: ./config/server.ts
+
+```ts
+export default {
+  webhooks: {
+    defaultHeaders: {
+      Authorization: "Bearer my-very-secured-token",
+    },
+  },
+};
+```
+
+Language: JavaScript
+File path: ./config/server.js
+
+```js
+module.exports = {
+  webhooks: {
+    defaultHeaders: {
+      Authorization: `Bearer ${process.env.WEBHOOK_TOKEN}`,
+    },
+  },
+};
+```
+
+---
+Language: TypeScript
+File path: ./config/server.ts
+
+```ts
+export default {
+  webhooks: {
+    defaultHeaders: {
+      Authorization: `Bearer ${process.env.WEBHOOK_TOKEN}`,
+    },
+  },
+};
+```
+
+
+## Verifying signatures
+Description: Here is a minimal Node.js middleware example (pseudo‑code) showing verification:
+(Source: https://docs.strapi.io/cms/backend-customization/webhooks#verifying-signatures)
+
 Language: JavaScript
 File path: /src/middlewares/verify-webhook.js
 
@@ -14172,60 +14231,6 @@ export default (config: unknown, { strapi }: any) => {
 };
 ```
 
-Language: JavaScript
-File path: ./config/server.js
-
-```js
-module.exports = {
-  webhooks: {
-    defaultHeaders: {
-      Authorization: "Bearer my-very-secured-token",
-    },
-  },
-};
-```
-
----
-Language: TypeScript
-File path: ./config/server.ts
-
-```ts
-export default {
-  webhooks: {
-    defaultHeaders: {
-      Authorization: "Bearer my-very-secured-token",
-    },
-  },
-};
-```
-
-Language: JavaScript
-File path: ./config/server.js
-
-```js
-module.exports = {
-  webhooks: {
-    defaultHeaders: {
-      Authorization: `Bearer ${process.env.WEBHOOK_TOKEN}`,
-    },
-  },
-};
-```
-
----
-Language: TypeScript
-File path: ./config/server.ts
-
-```ts
-export default {
-  webhooks: {
-    defaultHeaders: {
-      Authorization: `Bearer ${process.env.WEBHOOK_TOKEN}`,
-    },
-  },
-};
-```
-
 
 ## entry.create
 Description: Example payload

docusaurus/static/llms-full.txt

@@ -5993,34 +5993,44 @@ Most of the time, webhooks make requests to public URLs, therefore it is possibl
 
 To prevent this from happening you can send a header with an authentication token. Using the Admin panel you would have to do it for every webhook.
 
-:::tip Verify signatures
-In addition to auth headers, sign webhook payloads and verify signatures server‑side to prevent tampering and replay attacks.
+Another way is to define `defaultHeaders` to add to every webhook request.
 
-- Generate a shared secret and store it in environment variables
-- Have the sender compute an HMAC (e.g., SHA‑256) over the raw request body plus a timestamp
-- Send the signature (and timestamp) in headers (e.g., `X‑Webhook‑Signature`, `X‑Webhook‑Timestamp`)
-- On receipt, recompute the HMAC and compare using a constant‑time check
-- Reject if the signature is invalid or the timestamp is too old to mitigate replay
-
-Learn more:
-- 
+You can configure these global headers by updating the file at `./config/server`:
 
 </Tabs>
 
-Additional external examples:
-- 
+</TabItem>
 
 </Tabs>
 
 </TabItem>
 
 </Tabs>
 
-</TabItem>
+If you are developing the webhook handler yourself you can now verify the token by reading the headers.
+
+### Verifying signatures
+
+In addition to auth headers, it's recommended to sign webhook payloads and verify signatures server‑side to prevent tampering and replay attacks. To do so, you can use the following guidelines:
+
+- Generate a shared secret and store it in environment variables
+- Have the sender compute an HMAC (e.g., SHA‑256) over the raw request body plus a timestamp
+- Send the signature (and timestamp) in headers (e.g., `X‑Webhook‑Signature`, `X‑Webhook‑Timestamp`)
+- On receipt, recompute the HMAC and compare using a constant‑time check
+- Reject if the signature is invalid or the timestamp is too old to mitigate replay
+
+<details>
+<summary>Example: Verify HMAC signatures (Node.js)</summary>
+
+Here is a minimal Node.js middleware example (pseudo‑code) showing 
 
 </Tabs>
 
-If you are developing the webhook handler yourself you can now verify the token by reading the headers.
+Here a few additional external examples:
+- 
+- 
+<br />
+</details>
 
 <!--- ### Usage