Security
To verify that data sent from your Front Connector is legitimate, validate the signature before accepting it into your system.
The requests made to your server will include 2 headers: X-Front-Signature
and X-Front-Request-Timestamp
. First, check that the timestamp says the request was made recently in order to prevent replay attacks. We recommend 5 minutes as the maximum time before rejecting a message.
- Retrieve the
X-Front-Request-Timestamp
header on the HTTP request and the body of the request. - Concatenate the timestamp and the JSON stringified body of the request to form a string. Use a colon as the delimiter between the two elements.
- Using HMAC SHA256, hash the above string, using your Channel Type Secret Key as the key.
This should match the X-Front-Signature
header. If it does not, you should not trust this message. See our sample code in Typescript for how to validate a message and generate a token.
Sample application
The Auth file of our Basic application object handler sample application demonstrates verifying that a request is coming from Front.
Updated about 6 hours ago