Skip to main content

Webhook Listener HTTP Request Header Mapping

Comments

2 comments

  • Scott Henderson CTO
    Answer Pro
    Top Contributor

    We currently do not provide any mechanism to access the HTTP headers sent to a webhook listener, but I will pass this along as an enhancement request to the product management team. This enhancement will be somewhat tricky to design and implement securely, because HTTP headers often contain security sensitive information.  Some webhook providers like Shopify are really secure and use HMAC auth, but many other webhook providers are less secure, and we dont want integrator.io to be responsible for accidentally logging API tokens, passwords, etc... in clear text anywhere in the product.  For example in flow error retry data, webhook listener debug logs, etc...

    As a work around, would it be possible for you to create a separate webhook listener bubble for each Shopify store (and of course do the matching config in Shopify to have a separate webhook for each store), and then you can use a preSavePage hook attached to each bubble in your flow to add the extra store info to the data payloads?  Hopefully this pic will help illustrate what I am trying to describe.

    0
  • Christian Courtois

    Thanks for the prompt reply Scott. I see the workaround that you are doing here which makes sense. It's more things to code into the flow, but it does make sense. My only issue is that some companies provide needed data within their HTTP headers only and don't send it in the body data.

    In regards to the header security, I completely understand where you're coming from. From my perspective, the security risk should solely fall onto the responsibility of the user creating the mapping. If you are mapping HMAC tokens or other sensitive data, then you should be responsible if that data gets logged or whatnot, kind of like data privacy policies in regards to PII data. But if you're mapping other header data that's not sensitive such as the Shopify store domain to pass along downstream, this should be allowed. Just my 2 cents on the issue.

    It would be a great enhancement if the team would be able to add this feature in the future. Thanks for your workaround above. Celigo has been great so far!

    0

Please sign in to leave a comment.