From b297be3d407d1b7cb30328684e47026cca3ec2f5 Mon Sep 17 00:00:00 2001 From: AJ ONeal Date: Thu, 3 Aug 2023 15:34:54 -0600 Subject: [PATCH 1/3] doc(securing-your-webhooks): show test values --- .../webhooks/securing-your-webhooks.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/content/webhooks-and-events/webhooks/securing-your-webhooks.md b/content/webhooks-and-events/webhooks/securing-your-webhooks.md index 4dfb86fdd76e..ed8e967013d2 100644 --- a/content/webhooks-and-events/webhooks/securing-your-webhooks.md +++ b/content/webhooks-and-events/webhooks/securing-your-webhooks.md @@ -64,6 +64,23 @@ Your language and server implementations may differ from the following examples. - Using a plain `==` operator is **not advised**. A method like [`secure_compare`][secure_compare] performs a "constant time" string comparison, which helps mitigate certain timing attacks against regular equality operators. +### Test values + +Regardless of programming language, these values can be used to know that the implementation is correct. + +```yaml +Secret: It's a Secret to Everybody +Payload: Hello, World! + +Algorithm: SHA-256 +Signature: 757107ea0eb2509fc211221cce984b8a37570b6d7586c22c46f4379c8b043e17 +X-Hub-Signature: sha256=757107ea0eb2509fc211221cce984b8a37570b6d7586c22c46f4379c8b043e17 + +Algorithm: SHA-1 +Signature: 01dc10d0c83e72ed246219cdd91669667fe2ca59 +X-Hub-Signature: sha1=01dc10d0c83e72ed246219cdd91669667fe2ca59 +``` + ### Ruby example For example, you can define the following `verify_signature` function: From 1bfc7abc259c31e30e4e3e3df78b22f8381e7b7e Mon Sep 17 00:00:00 2001 From: Sarah Edwards Date: Wed, 9 Aug 2023 19:08:12 -0700 Subject: [PATCH 2/3] Apply suggestions from code review --- .../webhooks/securing-your-webhooks.md | 21 +++++++++---------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/content/webhooks-and-events/webhooks/securing-your-webhooks.md b/content/webhooks-and-events/webhooks/securing-your-webhooks.md index ed8e967013d2..0347667c4999 100644 --- a/content/webhooks-and-events/webhooks/securing-your-webhooks.md +++ b/content/webhooks-and-events/webhooks/securing-your-webhooks.md @@ -66,21 +66,20 @@ Your language and server implementations may differ from the following examples. ### Test values -Regardless of programming language, these values can be used to know that the implementation is correct. +Regardless of the programming language that you use to implement HMAC verification in your code, you can use the following `secret` and `payload` values to verify that your implementation is correct. -```yaml -Secret: It's a Secret to Everybody -Payload: Hello, World! +- secret: "It's a Secret to Everybody" +- payload: "Hello, World!" -Algorithm: SHA-256 -Signature: 757107ea0eb2509fc211221cce984b8a37570b6d7586c22c46f4379c8b043e17 -X-Hub-Signature: sha256=757107ea0eb2509fc211221cce984b8a37570b6d7586c22c46f4379c8b043e17 +If your implementation is correct and uses the SHA-256 algorithm, the signatures that you generate should match the following signature values: -Algorithm: SHA-1 -Signature: 01dc10d0c83e72ed246219cdd91669667fe2ca59 -X-Hub-Signature: sha1=01dc10d0c83e72ed246219cdd91669667fe2ca59 -``` +- signature: 757107ea0eb2509fc211221cce984b8a37570b6d7586c22c46f4379c8b043e17 +- x-hub-signature: sha256=757107ea0eb2509fc211221cce984b8a37570b6d7586c22c46f4379c8b043e17 + +If your implementation is correct and uses the SHA-1 algorithm, the signatures that you generate should match the following signature values: +- signature: 01dc10d0c83e72ed246219cdd91669667fe2ca59 +- x-hub-signature: sha1=01dc10d0c83e72ed246219cdd91669667fe2ca59 ### Ruby example For example, you can define the following `verify_signature` function: From 700607220c62796f04cd4fd134394613c2e40a92 Mon Sep 17 00:00:00 2001 From: Sarah Edwards Date: Wed, 9 Aug 2023 19:08:40 -0700 Subject: [PATCH 3/3] add new line --- content/webhooks-and-events/webhooks/securing-your-webhooks.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/webhooks-and-events/webhooks/securing-your-webhooks.md b/content/webhooks-and-events/webhooks/securing-your-webhooks.md index 0347667c4999..6f54d3bf5992 100644 --- a/content/webhooks-and-events/webhooks/securing-your-webhooks.md +++ b/content/webhooks-and-events/webhooks/securing-your-webhooks.md @@ -80,6 +80,7 @@ If your implementation is correct and uses the SHA-1 algorithm, the signatures t - signature: 01dc10d0c83e72ed246219cdd91669667fe2ca59 - x-hub-signature: sha1=01dc10d0c83e72ed246219cdd91669667fe2ca59 + ### Ruby example For example, you can define the following `verify_signature` function: