Security

To verify that data sent from your Front Connector is legitimate, validate the signature before accepting it into your system.

The requests made to your server will include 2 headers: X-Front-Signature and X-Front-Request-Timestamp. First, check that the timestamp says the request was made recently in order to prevent replay attacks. We recommend 5 minutes as the maximum time before rejecting a message.

1. Retrieve the X-Front-Request-Timestamp header on the HTTP request and the body of the request.
2. Concatenate the timestamp and the JSON stringified body of the request to form a string. Use a colon as the delimiter between the two elements.

   📘

   GET and DELETE requests return a string with the value "undefined" as the body

3. Using HMAC SHA256, hash the above string, using your Channel Type Secret Key as the key.

This should match the X-Front-Signature header. If it does not, you should not trust this message. See the following TypeScript example for how to validate a message and generate a token.

Sample application

The Auth file of our Basic application object handler sample application demonstrates verifying that a request is coming from Front.