A webhook in
web development
Web development is the work involved in developing a website for the Internet (World Wide Web) or an intranet (a private network). Web development can range from developing a simple single static page of plain text to complex web applications ...
is a method of augmenting or altering the behavior of a
web page or
web application
A web application (or web app) is application software that is accessed using a web browser. Web applications are delivered on the World Wide Web to users with an active network connection.
History
In earlier computing models like client-serve ...
with custom
callbacks. These callbacks may be maintained, modified, and managed by third-party users and developers who may not necessarily be affiliated with the originating website or application. The term "webhook" was coined by
Jeff Lindsay in 2007 from the computer programming term ''
hook
A hook is a tool consisting of a length of material, typically metal, that contains a portion that is curved or indented, such that it can be used to grab onto, connect, or otherwise attach itself onto another object. In a number of uses, one e ...
''.
The format is usually
JSON
JSON (JavaScript Object Notation, pronounced ; also ) is an open standard file format and data interchange format that uses human-readable text to store and transmit data objects consisting of attribute–value pairs and arrays (or other ser ...
. The request is done as a
HTTP POST
In computing, POST is a request method supported by HTTP used by the World Wide Web.
By design, the POST request method requests that a web server accept the data enclosed in the body of the request message, most likely for storing it. It is oft ...
request.
Function
Webhooks are "user-defined HTTP callbacks". They are usually triggered by some event, such as pushing code to a repository or a comment being posted to a blog. When that event occurs, the source site makes an HTTP request to the URL configured for the webhook. Users can configure them to cause events on one site to invoke behavior on another.
Common uses are to trigger builds with
continuous integration systems or to notify
bug tracking system
A bug tracking system or defect tracking system is a software application that keeps track of reported software bugs in software development projects. It may be regarded as a type of issue tracking system.
Many bug tracking systems, such as those ...
s. Because webhooks use HTTP, they can be integrated into web services without adding new infrastructure.
Authenticating the webhook notification
When the client (the originating website or application) makes a webhook call to the third-party user's server, the incoming POST request should be authenticated to avoid a
spoofing attack
In the context of information security, and especially network security, a spoofing attack is a situation in which a person or program successfully identifies as another by falsifying data, to gain an illegitimate advantage.
Internet Spoofing and ...
and its timestamp verified to avoid a
replay attack
A replay attack (also known as a repeat attack or playback attack) is a form of network attack in which valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary wh ...
. Different techniques to authenticate the client are used:
* HTTP
basic authentication can be used to authenticate the client.
* The webhook can include information about what type of event it is, and a
shared secret
In cryptography, a shared secret is a piece of data, known only to the parties involved, in a secure communication. This usually refers to the key of a symmetric cryptosystem. The shared secret can be a password, a passphrase, a big number, or a ...
or
digital signature
A digital signature is a mathematical scheme for verifying the authenticity of digital messages or documents. A valid digital signature, where the prerequisites are satisfied, gives a recipient very high confidence that the message was created b ...
to verify the webhook.
* An
HMAC
In cryptography, an HMAC (sometimes expanded as either keyed-hash message authentication code or hash-based message authentication code) is a specific type of message authentication code (MAC) involving a cryptographic hash function and a secret ...
signature can be included as a HTTP header. GitHub, Stripe and Facebook use this technique.
*
Mutual TLS authentication can be used when the connection is established. The endpoint (the server) can then verify the client's certificate.
The sender may choose to keep a constant list of
IP addresses
An Internet Protocol address (IP address) is a numerical label such as that is connected to a computer network that uses the Internet Protocol for communication.. Updated by . An IP address serves two main functions: network interface ident ...
from which requests will be sent. This is not a sufficient security measure on its own, but it is useful for when the receiving endpoint is behind a
firewall
Firewall may refer to:
* Firewall (computing), a technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts
* Firewall (construction), a barrier inside a building, designed to limit the spre ...
or
NAT
Nat or NAT may refer to:
Computing
* Network address translation (NAT), in computer networking
Organizations
* National Actors Theatre, New York City, U.S.
* National AIDS trust, a British charity
* National Archives of Thailand
* National As ...
.
See also
*
Application programming interface
An application programming interface (API) is a way for two or more computer programs to communicate with each other. It is a type of software interface, offering a service to other pieces of software. A document or standard that describes how t ...
*
Open API
An open API (often referred to as a public API) is a publicly available application programming interface that provides developers with programmatic access to a proprietary software application or web service. APIs are sets of requirements that go ...
*
Mashup (web application hybrid)
A mashup (computer industry jargon), in web development, is a web page or web application that uses content from more than one source to create a single new service displayed in a single graphical interface. For example, a user could combine the ...
References
External links
Working with Webhooks
{{Web interfaces
Hypertext Transfer Protocol
Events (computing)
Web technology
Change detection and notification