Webhooks may be configured to require an integrity check. This is a basic, non-secure data integrity check mechanism that protects against accidental modification of the entity-body in transit [1]. Non-secure means that this is not a protection against malicious attackers that attempt to forge requests. In order to allow the recipient of the webhook request to verify message integrity, we use the HTTP 1.1 standard Content-MD5 header. In the following the protocol as defined in http://www.ietf.org/rfc/rfc1864.txt is described.
Sender (EPP):
-
Apply any content encoding to the desired entity body (i.e. application/x-www-form-urlencoded or application/json).
-
Calculate a hash of the content-encoded entity body using the MD5 hash function.
-
Base 64 encode the resulting MD5 hash.
-
Add the resulting string to the entity header field Content-Md5.
-
Apply any transfer encoding to the HTTP entity and send the resulting HTTP request message.
Recipient (Customer):
-
Receive the HTTP request message and apply any transfer decoding necessary to extract the HTTP entity.
-
Calculate a hash of the entity body using the MD5 hash function.
-
Base 64 encode the resulting MD5 hash.
-
Check if the computed value matches the value of the received Content-MD5 header field.
The server should check and return a 400 HTTP status code, if data integrity is violated. The invocation is retried in this case.
Comments
0 comments
Please sign in to leave a comment.