Webhooks Security

The communication with the Copyleaks service is based on REST requests and responses. Some of the operations will involve asynchronous operations, so in this case, when the operation has been completed, a webhook will be sent.

Your server should have internet access in order to receive a webhook and because of this, anyone can access the server’s endpoints. When your servers receive webhooks from Copyleaks, it is important to verify the requestor’s origin and make sure it is actually from Copyleaks.

In order to verify the origin of the call, and make sure it is from Copyleaks, you can use the below methods. You can also use more than one method for extra safety precautions.

Authentication Based on HTTPS Client Certificate

Our webhook servers support HTTPS connections with your endpoints. This secure connection ensures that no one can have access to the data we send you. In order to activate this secure mode, all you have to do is provide an "https" endpoint address when you are submitting your file for a scan.

In order to avoid unauthorized access to the endpoint, Copyleaks uses SSL client certificates to verify the client who uses your endpoint and ensure it is actually Copyleaks. You can also use a self-signed certificate.

To get our live SSL client certificate thumbprints, send this REST API call:

GET https://api.copyleaks.com/v2/security/client-certificates

Authentication Based on DeveloperPayload

Another option to avoid unauthorized access is to use the properties.developerPayload field. Simply set the field value to a string that only you know. Then, when you receive the webhook to your endpoint, you can compare the actual field value to the expected one. For extra security, the secret string can also be encrypted with a key, only known to you.