From e8637f1c40ad7fa522115dcc7fec777975768732 Mon Sep 17 00:00:00 2001 From: AJ ONeal Date: Thu, 10 Aug 2023 12:53:39 -0600 Subject: [PATCH] doc(securing-your-webhooks): show test values (#27263) Co-authored-by: Sarah Edwards Co-authored-by: Courtney Wilson <77312589+cmwilson21@users.noreply.github.com> --- .../webhooks/securing-your-webhooks.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/content/webhooks-and-events/webhooks/securing-your-webhooks.md b/content/webhooks-and-events/webhooks/securing-your-webhooks.md index ebda07cb96..fc09eb4664 100644 --- a/content/webhooks-and-events/webhooks/securing-your-webhooks.md +++ b/content/webhooks-and-events/webhooks/securing-your-webhooks.md @@ -64,6 +64,23 @@ Your language and server implementations may differ from the following examples. - Using a plain `==` operator is **not advised**. A method like [`secure_compare`][secure_compare] performs a "constant time" string comparison, which helps mitigate certain timing attacks against regular equality operators. +### Test values + +Regardless of the programming language that you use to implement HMAC verification in your code, you can use the following `secret` and `payload` values to verify that your implementation is correct. + +- secret: "It's a Secret to Everybody" +- payload: "Hello, World!" + +If your implementation is correct and uses the SHA-256 algorithm, the signatures that you generate should match the following signature values: + +- signature: 757107ea0eb2509fc211221cce984b8a37570b6d7586c22c46f4379c8b043e17 +- x-hub-signature: sha256=757107ea0eb2509fc211221cce984b8a37570b6d7586c22c46f4379c8b043e17 + +If your implementation is correct and uses the SHA-1 algorithm, the signatures that you generate should match the following signature values: + +- signature: 01dc10d0c83e72ed246219cdd91669667fe2ca59 +- x-hub-signature: sha1=01dc10d0c83e72ed246219cdd91669667fe2ca59 + ### Ruby example For example, you can define the following `verify_signature` function: