Changelog

September 22, 2022

Webhook Signatures

Webhook signature validation now available

Webflow’s Data API now supports webhook signature validation for enhanced security. Webhooks created with an OAuth Application now include additional headers that enable you to verify the authenticity of incoming webhook requests.

What’s new

The following headers are now included in webhook payloads:

  • x-webflow-signature: A signature hash generated using your application’s client secret
  • x-webflow-timestamp: The timestamp when the webhook was sent

These headers enable you to validate that webhook requests are genuinely from Webflow and haven’t been tampered with, protecting your integrations from potential security threats.

Why this matters

Validating webhook signatures helps you:

  • Prevent unauthorized access to your webhook endpoints
  • Ensure data integrity by confirming requests haven’t been modified
  • Protect against replay attacks by validating request timestamps

How to implement signature validation

The simplest way to validate webhook signatures is to use the Webflow SDK:

1import { WebflowClient } from "webflow-api";
2import express from "express";
3
4const webflowClient = new WebflowClient({ accessToken: AUTHTOKEN });
5const app = express();
6app.use(express.json());
7
8app.post('/webhook', async (req, res) => {
9  const isValidRequest = await webflowClient.webhooks.verifySignature({
10    headers: req.headers,
11    body: JSON.stringify(req.body),
12    secret: CLIENT_SECRET
13  });
14
15  if (isValidRequest) {
16    // Process the webhook
17  } else {
18    // Reject the request
19  }
20
21  res.sendStatus(200);
22});

Manual verification

If you prefer to validate signatures manually, follow these steps:

  1. Generate an HMAC hash using:

    • The timestamp from the x-webflow-timestamp header
    • The request body string
    • Your OAuth application’s client secret
    • The SHA-256 algorithm

  2. Compare signatures by checking if your generated hash matches the x-webflow-signature header

  3. Verify timestamp to ensure the request is recent (within 5 minutes) to prevent replay attacks

For detailed implementation examples, please refer to the webhook signature validation documentation.

Backward compatibility

This update only applies to webhooks created through OAuth Applications. Existing webhooks created through the Site Dashboard will continue to function without these signature headers.

It’s highly recommended to update your webhook handlers to implement signature validation for enhanced security.