Webhook security

[nick16180]

I want to use webhooks to send info to an API that I have and do some processing. When I test the webhook, I get the following headers and response using https://webhook-test.com/. How do I verify the source so that bad actors cannot send whatever they want? I don't see a key that is consistent between requests.

Request Headers
POST	f7a77174-2134-41bf-a6b4-f09feb0632bf
USER_AGENT	Go-http-client/2.0
REMOTE_ADDR	MYIP
CONTENT_TYPE	application/json
X_REQUEST_ID	8b5bd4eebfc5a2589cad3ecec601c41f
CONTENT_LENGTH	558
ACCEPT_ENCODING	gzip, br
X_REQUEST_START	1754589006.940

{
  "url": "https://webhook-test.com/3649faa1f55db02e8e4abcd06a06f8df",
  "activityType": "memos.memo.updated",
  "creator": "users/1",
  "memo": {
    "name": "memos/ahJLhHhnCXPSENXThYKmVa",
    "state": 1,
    "creator": "users/1",
    "create_time": {
      "seconds": 1754587768
    },
    "update_time": {
      "seconds": 1754588741
    },
    "display_time": {
      "seconds": 1754587768
    },
    "content": "test the hook      ",
    "nodes": [
      {
        "type": 2,
        "Node": {
          "ParagraphNode": {
            "children": [
              {
                "type": 51,
                "Node": {
                  "TextNode": {
                    "content": "test the hook      "
                  }
                }
              }
            ]
          }
        }
      }
    ],
    "visibility": 1,
    "property": {},
    "snippet": "test the hook      \n"
  }
}

[nick16180]

If anyone has this issue, the solution is a little advanced but doable.

1. Set up a "webhook" proxy server that forwards requests from memos and uses a shared key to create a signature based on the key plus the data payload.
2. The proxy server then sends the modified request to the actual destination.
3. The destination ensures that the signtature matches the expected signature to authenticate the request.

The gist is here.