Webhooks
How webhooks are secured
We value security & privacy, especially because we're handling sensistive healthcare data. As a company, we're doing our best to stay ahead of attackers by fixing and guarding the loopholes in our systems.
Outlined below are the strategies we use to facilitate security when working with webhooks
To verify that messages are legitimate, both the webhook provider (Awell) and client (you) can perform signature verification on the messages. If the signatures match, the message is valid. If not, the message has been tampered with and should be rejected.
Webhooks are digitally signed using a 2048 bits RSA key specific to your tenant. The signature is generated from the webhook body and is included in a custom x-awell-signature header. When you receive the webhook message, you can use the public key to verify the signature.
Here is how the signature can be verified in Node.js:
01
We only allow HTTPS webhook endpoints. This provides security at the transport layer, ensuring that all data sent is encrypted and therefore cannot be read.
Headers can be configured for all outgoing webhooks that are sent by our system. An authentication token can thus be added to the header you can validate that token to verify whether the incoming request is coming from the right source.