Solved

Adding layers of security

  • 20 March 2023
  • 1 reply
  • 39 views

I want to trigger actions on my backend from a campaign. I’m sending webhook requests as part of a campaign. For example, I want to add a balance to my users in-app wallet as a promotion during an onboarding campaign. I know I can create a webhook in the campaign, however this doesn't seem particularly secure as I have to include the authentication keys in plain text in the webhook configuration. I can see that these requests get sent with an x-cio-signature header. his header is documented for the reporting webhooks here. However, I am not using reporting webhooks and have not set these up. I would therefore like to confirm if the x-cio-signature header sent with webhooks from campaigns is expected behaviour which I can rely on? If so, where can I find the key to verify the signature since I have not set up these webhooks through the reporting webhook screen.

Is there any extra layer of security available? For example request signing to prove that requests are from customer.io or IP address lists for whitelisting?

icon

Best answer by Ramy 20 March 2023, 13:47

View original

1 reply

Userlevel 1
Badge

Hello Taylor!

This is Ramy, from the Technical Support Engineering team at Customer.io; happy help you here!

Getting into your question, I'm afraid webhook actions (i.e., webhooks sent from a triggered campaign) don't support request signing at this time. We do sign the request with our own key but at the moment, we do not have an option in the app to use your own key.

We have a feature request for this functionality, as we realize how important it is for our customers. I have added your inquiry as a vote to this so that the Product team knows that this is something that would be useful to you.
 

You bring up a great alternative in your closing sentence, which I’m happy to capitalize on! It is possible to use IP Whitelisting to provide a security layer for Webhooks originating from Customer.io! We have those documented in this Section of our Documentation, furthermore, you can always use this API Endpoint to retrieve the updated list of IPs, to keep up with any changes/updates that may happen to this list.

I hope this helps, Taylor! Please feel free to let us know if you have any follow-ups to this!

Reply