php - 如何在 Laravel 中正确创建签名的 webhook 结构?
问题描述
我的应用程序(APP 1)中有一个 webhook,其中我的另一个应用程序(APP 2)需要定期命中,但是我正在考虑安全签署这些请求以确保 webhook 端点只能访问的方法通过那个应用程序。我想到了以下几点:
- 将秘密哈希保存在 APP1 的环境中,并且随着 APP2 发送的每个请求,在特定标头中添加哈希以进行比较。
但是我觉得这种方法相当初级,因为如果有人掌握了这个秘密,他们将能够访问端点。应该为此使用某种公钥组合吗?有什么建议么?
解决方案
If the systems are working on the same back-end or have access to the same database or similar it would be easiest to roll a new hash for every request and save it locally.
- APP1 generates hash and stores in file ~/secret_app_hash
- APP2 reads file ~/secret_app_hash and sends request with this param
- APP1 received HTTPS request, validates the hash against the file
- APP1 generates a new hash... basically back to step 1
This way the hash is never reused and only APP1 and APP2 have knowledge of the current hash value.
Another approach if the systems do not have the same back-end would be to periodically generate a new hash based on some secret that both apps knew: sha256(SECRET + current_time_window), similar to a 2-factor auth.
a side note to add would be that if you are using HTTPS and a POST request the param would not be readable for onlookers.
推荐阅读
- ansible - 在 Openshift 上使用带有多行机密的 Ansible Playbook Bundle
- node.js - jsftp - TypeError:createConnection 不是函数
- python - 如何在 iTerm2 窗口上执行 bash 脚本 onHover?
- javascript - 添加逗号 JavaScript 计数器
- python - 根据其值为pandas dataFrame分配一个替代值
- c# - HttpPostedFileBase 在 ASP.NET MVC 中返回 NULL
- android - 阻止人们访问专用于 Web 应用程序的网页
- javascript - 字符串数组的元素级联
- python - 模块 : - 跨 Python 模块共享全局变量
- python - 记录烧瓶应用程序