Webhooks Security

The communication with the Copyleaks service is based on REST requests and responses. Some of the operations will involve asynchronous operations, so in this case, when the operation has been completed, a webhook will be sent.

Your server should have internet access in order to receive a webhook and because of this, anyone can access the server’s endpoints. When your servers receive webhooks from Copyleaks, it is important to verify the requestor’s origin and make sure it is actually from Copyleaks.

In order to verify the origin of the call, and make sure it is from Copyleaks, you can use the below methods. You can also use more than one method for extra safety precautions.

Whitelist Copyleaks Server IPs

Requests from the Copyleaks servers are coming from specific IP ranges. As a security measure, you can whitelist our server addresses in order to:

In order to get the latest Copyleaks IP list, send the following REST API call:

GET https://api.copyleaks.com/v1/security/servers/ips

The IP addresses in the list are presented in the CIDR form. It may also contain IP addresses in IPv6 form. Make sure you are ready for both options.

Warning

This list is dynamic and can be changed from time to time, please make sure you have an automated scheduled job that will update your environment on a daily basis.

Authentication Based on HTTPS Client Certificate

Our webhook servers support HTTPS connections with your endpoints. This secure connection ensures that no one can have access to the data we send you. In order to activate this secure mode, all you have to do is provide an "https" endpoint address when you are submitting your file for a scan.

In order to avoid unauthorized access to the endpoint, Copyleaks uses SSL client certificates to verify the client who uses your endpoint and ensure it is actually Copyleaks. You can also use a self-signed certificate.

To get our live SSL client certificate thumbprints, send this REST API call:

GET https://api.copyleaks.com/v2/security/client-certificates

Important

In order to activate this authentication method, you will need to provide the "https" endpoint that supports SSL. Non-secured (HTTP) connection does not support this feature.

Warning

This list is dynamic and can be changed from time to time, please make sure you have an automated scheduled job that will update your environment on a daily basis.

Authentication Based on DeveloperPayload

Another option to avoid unauthorized access is to use the properties.developerPayload field. Simply set the field value to a string that only you know. Then, when you receive the webhook to your endpoint, you can compare the actual field value to the expected one. For extra security, the secret string can also be encrypted with a key, only known to you.