Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.hookflo.com/llms.txt

Use this file to discover all available pages before exploring further.

HookFlo is built with security as a fundamental principle. This guide outlines our approach to securing webhook communication, protecting sensitive data, and ensuring the integrity of all webhook events processed through our platform.
Security is a shared responsibility. While HookFlo provides robust security features, it’s important to follow best practices when configuring your webhooks and handling sensitive data.

Core Security Features

Webhook Authentication & Verification

HookFlo supports multiple methods for authenticating and verifying webhook sources:

HMAC Signature Verification

Verify the authenticity of webhooks using HMAC signatures with algorithms like SHA-256

JWT Validation

Validate JSON Web Tokens using various signing algorithms

API Keys

Implement simple key-based authentication for webhook sources

Basic Authentication

Support for username/password verification methods
{
  "verification": {
    "type": "hmac",
    "algorithm": "sha256",
    "signatureHeader": "X-Hub-Signature-256",
    "signaturePrefix": "sha256=",
    "secret": "${WEBHOOK_SECRET}"
  }
}
HookFlo verifies signatures using the exact algorithm specified by the webhook provider, ensuring compatibility with any service.

Algorithm-Agnostic Payload Processing

HookFlo is designed to work with any webhook format or encoding scheme used by service providers. Our platform handles various encoding formats:
Encoding TypeDescriptionUse Case
Base64Decodes Base64-encoded payloads (standard, URL-safe)Services that encode binary data or compress payloads
URL EncodingParses URL-encoded request bodiesForm submissions and legacy webhook systems
JWT PayloadExtracts and validates claims from JWT tokensModern API systems using token-based authentication
Gzip/DeflateAutomatically decompresses compressed payloadsHigh-volume webhook systems that optimize for size
Custom EncodingApply custom decoding functionsProprietary encoding formats unique to specific providers
Multiple decoding steps can be chained to handle complex encoding schemes: 
{
  "preProcessing": {
    "decoding": [
      {
        "type": "base64",
        "target": "body.data"
      },
      {
        "type": "gzip",
        "target": "decodedData"
      }
    ]
  }
}

Comprehensive Algorithm Support

HookFlo supports all commonly used signature verification algorithms:

HMAC Algorithms

  • HMAC-SHA256
  • HMAC-SHA1
  • HMAC-SHA384/512
  • HMAC-MD5 (legacy)

Asymmetric Algorithms

  • RSA-SHA256
  • ECDSA
  • EdDSA (Ed25519)

JWT Algorithms

  • HS256, HS384, HS512
  • RS256, RS384, RS512
  • ES256, ES384, ES512
  • PS256, PS384, PS512
New algorithms are continuously added to maintain compatibility with all webhook providers.

Verification Methods

Different services implement webhook verification in various ways:

Header-Based Signatures

  • Standard header placement
  • Custom header names
  • Multiple signature headers

Request Parameter Verification

  • Query parameter signatures
  • Form-encoded signatures
  • Timestamp-based verification

Body Hash Verification

  • Complete body hashing
  • Canonicalized JSON
  • Specific field selection
HookFlo’s verification engine can be configured to match any provider’s approach, ensuring you can securely process webhooks from any service.

Best Practices

Security Checklist

  • Enable signature verification for all webhook sources
  • Implement IP allowlisting for known webhook providers
  • Redact sensitive data fields using JSON path selectors
  • Set appropriate retention periods for webhook data
  • Configure webhook timeout settings to prevent hanging connections
  • Regularly rotate webhook secrets and API keys
  • Monitor the webhook security audit log for suspicious activity
  • Use rate limiting to protect endpoints from abuse
  • Implement strict CORS policies for web-based webhook endpoints

Security Recommendations

  • Always enable signature verification
  • Implement rate limiting and IP filtering
  • Use HTTPS with modern TLS settings
  • Consider adding CAPTCHA for user-initiated webhooks
  • Monitor for unusual traffic patterns
  • Use mutual TLS (mTLS) for service-to-service communication
  • Implement network-level isolation for webhook processing systems
  • Consider using private endpoints within your network
  • Implement strict egress filtering for webhook consumers
Need Support? Let us know
or DM me directly on X.