Secure webhook URLs

When your webhook endpoint is accessible on the open internet, it becomes crucial to implement measures to safeguard it against unwanted or malicious traffic. By taking the necessary steps to protect your webhook endpoint, you can ensure the integrity and security of your system. Here are some recommended methods to secure your webhook:

  • Enable HTTPS: Ensure that your webhook endpoint is configured to use HTTPS (Hypertext Transfer Protocol Secure). HTTPS encrypts the data transmitted between the sender and receiver, preventing unauthorized access and eavesdropping.
  • Implement authentication: Authenticate incoming requests to your webhook endpoint to verify the identity of the sender. This can be achieved through mechanisms like API keys, tokens, or OAuth, ensuring that only authorized requests are processed.
  • Validate incoming requests: Implement request validation to ensure the integrity and authenticity of incoming requests. Verify request signatures or use other validation techniques to prevent tampering or spoofing of webhook payloads.
  • Rate limiting: Set limits on the number of requests that can be sent to your webhook endpoint within a specific time frame. This helps prevent abuse or overwhelming traffic, ensuring the stability and availability of your webhook.
  • Firewall and IP whitelisting: Configure a firewall to filter incoming traffic and only allow requests from trusted sources. Additionally, consider implementing IP whitelisting to restrict access to your webhook endpoint to specific IP addresses or IP ranges.

By applying these security practices, you can significantly reduce the risk of unauthorized access, data breaches, and other malicious activities targeting your webhook endpoint.

Allowlist of IP addresses

To ensure the security of your webhook, we advise implementing ingress rules that restrict unfamiliar traffic. By blocking all traffic that does not originate from Ocrolus or your trusted infrastructure, you can prevent unauthorized access to your webhook endpoint.

For your reference, the notifications from your registered webhooks will be sent from the following IP addresses:


HTTP basic authentication scheme

To enhance the security of your webhook's endpoint, you can utilize Basic authentication. To grant Ocrolus access to your webhook, you can include the webhook credentials in the registered URL, such as https://webhook_user:[email protected]/the/rest/of/the/url.

This ensures that only authorized entities can access your webhook and helps maintain the integrity and confidentiality of your data.

curl -X POST \
    -H "Content-Type: application/json" \
    -d '{"event" : "BOOK_VERIFIED"}' \
    https://webhook_user:[email protected]/the/rest/of/the/url