BOOK A DEMO
LOGIN
Homekeyboard_arrow_rightDocumentationkeyboard_arrow_rightVersion 3keyboard_arrow_rightPlagiarism Checkkeyboard_arrow_rightWebhookskeyboard_arrow_rightSecurity

Webhooks Security

The communication with the Copyleaks service is based on REST requests and responses. Some of the operations will involve asynchronous operations, so in this case, when the operation has been completed, a webhook will be sent.

Your server should have internet access in order to receive a webhook and because of this, anyone can access the server’s endpoints. When your servers receive webhooks from Copyleaks, it is important to verify the requestor’s origin and make sure it is actually from Copyleaks.

In order to verify the origin of the call, and make sure it is from Copyleaks, you can use the below methods. You can also use more than one method for extra safety precautions.

Authentication Based on HTTPS Client Certificate

Our webhook servers support HTTPS connections with your endpoints. This secure connection ensures that no one can have access to the data we send you. In order to activate this secure mode, all you have to do is provide an "https" endpoint address when you are submitting your file for a scan.

In order to avoid unauthorized access to the endpoint, Copyleaks uses SSL client certificates to verify the client who uses your endpoint and ensure it is actually Copyleaks. You can also use a self-signed certificate.

To get our live SSL client certificate thumbprints, send this REST API call:

GET https://api.copyleaks.com/v2/security/client-certificates
Important
In order to activate this authentication method, you will need to provide the "https" endpoint that supports SSL. Non-secured (HTTP) connection does not support this feature.
Warning
This list is dynamic and can be changed from time to time, please make sure you have an automated scheduled job that will update your environment on a daily basis.

Authentication Based on DeveloperPayload

Another option to avoid unauthorized access is to use the properties.developerPayload field. Simply set the field value to a string that only you know. Then, when you receive the webhook to your endpoint, you can compare the actual field value to the expected one. For extra security, the secret string can also be encrypted with a key, only known to you.

stack-overflow_icon.png

Do you have a technical question?

Use stackoverflow.com to get help from our development team and other Copyleaks users.

Ask a Question

PRODUCTS

Scans
Pricing
Copyleaks.com

RESOURCES

Documentation
Plagiarism Report
Help Center
System Status
Security

ABOUT

About us
Careers
Terms of Use
Privacy Policy
Sitemap

Copyleaks, Inc.

700 Canal St.
Stamford, CT 06902 USA

[email protected]

Copyleaks, Inc. All rights reserved. Use of this website signifies your agreement to the Terms of Use.