Validating Requests from ClearFeed

To validate that a request originated from ClearFeed, follow these steps:

  1. Grab your webook secret from the Developer Settings Page.

  2. Extract the verb, URL, body and timestamp from the request. The timestamp to use here is the X-CF-Timestamp header. Concatenate all of these and hash them using the webhook secret obtained above.

  3. Compare the resulting signature with the signature in the request.

Here's how it can be done using JavaScript:

function verifySignature(signingSecret, verb, url, body, timestamp, signature) {
  if (Math.floor( / 1000) - timestamp > 60 * 5) {
    // The request timestamp is more than five minutes from local time.
    // It could be a replay attack, so let's ignore it.
  const message = verb + url + body + timestamp;
  const hmac = crypto.createHmac('sha256', webhookSecret);
  const calculatedSignature = hmac.update(message).digest('hex');
  return signature === calculatedSignature;

Last updated