We value security a lot. Since being skeptical is a very good thing, especially when it comes to such a powerful plugin, we like to offer you as much peace of mind as possible.
Therefore, we will introduce you to a neat snippet, that allows you to extend the incoming webhook actions with another security test against a custom secret key.
Let’s get started with the code:
add_action( 'wpwhpro/webhooks/add_webhooks_actions', 'enhance_secutiry_for_action_calls', 10, 3 );
function enhance_secutiry_for_action_calls( $action, $response_ident_value, $response_api_key ){
$incoming_secret_key = 'my_secret'; // This is the key of the secret value you define within your request
$original_secret_value = 'THIS_IS_MY_SECRET_VALUE'; // This is the secret value you use to validate the request against
$response_body = WPWHPRO()->helpers->get_response_body();
$secret = WPWHPRO()->helpers->validate_request_value( $response_body['content'], $incoming_secret_key );
if( $secret !== $original_secret_value ){
status_header( 403 );
echo json_encode( WPWHPRO()->helpers->translate( 'The secret key is not correct.', 'webhooks-secret-key-incorrect' ) );
exit;
}
}
To make the code work, you need to send a secret key along with your incoming request. For example: If you send an action to delete a user, you define action => delete_user – Now only define another key (In this example “my_secret” and parse a value with it against you want to validate the original value (defined as $response_ident_value).
As soon as a webhook call comes in, it will check against the secret key and exits the call in case the secret key doesn’t match.