API Documentation
  • 🏡Home
  • Overview
    • 💡What we do
    • ✨Our Features
  • General Guide
    • 🏷️Introduction
    • 📪Test and Go Live
    • 💁Configuration
      • Custormers
        • Create Customer
        • Fetch Loan Customers
        • Fetch Customers
      • Loan Types
        • Fetch Loan Types
        • Loan Reasons
      • Country
        • Get all countries
        • Get states by country Id
      • Branch
        • Create Branch
        • Branches
      • Sales Person
        • Create a Salesperson
        • Get Sales Persons
      • Team
        • Create a Team
        • Get Teams
      • Employers
      • Industries
      • Commission
  • Products Guide
    • 🏛️Loans
      • New Loan Application
      • Activate/De-Activate Auto approval
      • Loan Information
      • Active Loans
      • Repayment Schedule Calculation
      • Create payment entries
      • Spool Repayments Due
      • Repayment Activation File
      • Repayment Activation Information
      • Disburse
    • 🪝Webhooks
      • Webhooks Verification.
      • Verification Steps
Powered by GitBook
On this page

Was this helpful?

  1. Products Guide
  2. Webhooks

Webhooks Verification.

PreviousWebhooksNextVerification Steps

Last updated 1 year ago

Was this helpful?

Why verify Webhooks?

Because of the way webhooks work, attackers can impersonate services by simply sending a fake webhook to an endpoint. Think about it: it's just an HTTP POST from an unknown source. This is a potential security hole for many applications, or at the very least, a source of problems.

In order to prevent it, Lenda signs every webhook and its metadata with a unique key for each endpoint. This signature can then be used to verify the webhook indeed comes from Lenda, and only process it if it is.

Another potential security hole is what's called replay attacks. A is when an attacker intercepts a valid payload (including the signature) and re-transmits it to your endpoint. This payload will pass signature validation and will therefore be acted upon.

To mitigate this attack, Lenda includes a timestamp for when the webhook attempt occurred. Our libraries automatically reject webhooks with a timestamp that are more than five minutes away (past or future) from the current time. This requires your server's clock to be synchronized and accurate, and it's recommended that you use to achieve this.

🪝
replay attack
NTP