GuidesAPI ReferenceChangelogCommunity
Guides
Front

Security

Suggest Edits

To verify that data sent from your Front Connector is legitimate, validate the signature before accepting it into your system.

The requests made to your server will include 2 headers: X-Front-Signature and X-Front-Request-Timestamp. First, check that the timestamp says the request was made recently in order to prevent replay attacks. We recommend 5 minutes as the maximum time before rejecting a message.

  1. Retrieve the X-Front-Request-Timestamp header on the HTTP request and the body of the request.
  2. Concatenate the timestamp and the JSON stringified body of the request to form a string. Use a colon as the delimiter between the two elements.
  3. Using HMAC SHA256, hash the above string, using your Channel Type Secret Key as the key.

This should match the X-Front-Signature header. If it does not, you should not trust this message. See our sample code in Typescript for how to validate a message and generate a token.

Sample application

The Auth file of our Basic application object handler sample application demonstrates verifying that a request is coming from Front.

Updated about 6 hours ago