Crafting a Great Webhooks Experience

Slide 1

Slide 1 text

Crafting a Great Webhooks Experience John Sheehan CEO, @Runscope

Slide 2

Slide 2 text

No content

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

"user defined callbacks made with HTTP POST"

Slide 8

Slide 8 text

"Webhooks are the easiest way to remotely execute code." -- Jeﬀ Lindsay once when we were talking

Slide 9

Slide 9 text

HTTP Push Notifications

Slide 10

Slide 10 text

A Reverse API

Slide 11

Slide 11 text

Provider makes request to URL when an event happens. Consumer sets up a server to listen for callbacks. Consumer registers callback URL with provider.

Slide 12

Slide 12 text

Provider makes request to URL when an event happens. Consumer sets up a server to listen for callbacks. Consumer registers callback URL with provider.

Slide 13

Slide 13 text

Provider makes request to URL when an event happens. Consumer sets up a server to listen for callbacks. Consumer registers callback URL with provider.

Slide 14

Slide 14 text

No content

Slide 15

Slide 15 text

Implementing Webhooks

Slide 16

Slide 16 text

url = get_callback_url() data = get_webhook_payload_json() try: resp = requests.post(url, data=data) if not resp.ok: _logger.error(resp.content) except Exception as e: _logger.error(e)

Slide 17

Slide 17 text

Problem #1: Error Handling

Slide 18

Slide 18 text

> POST /callback < 400 Bad Request

Slide 19

Slide 19 text

> POST /callback < 302 Found < Location: http://

Slide 20

Slide 20 text

> POST /callback < 200 OK < Content-Type: text/plain <

Slide 21

Slide 21 text

Error Handling Suggestions

Slide 22

Slide 22 text

Be lenient in what you accept back if you can reasonably guess. Retry failed callbacks with exponential back oﬀ. Decide if redirects are to be followed or not.

Slide 23

Slide 23 text

Be lenient in what you accept back if you can reasonably guess. Retry failed callbacks with exponential back oﬀ. Decide if redirects are to be followed or not.

Slide 24

Slide 24 text

Be lenient in what you accept back if you can reasonably guess. Retry failed callbacks with exponential back oﬀ. Decide if redirects are to be followed or not.

Slide 25

Slide 25 text

Problem #2: Flooding

Slide 26

Slide 26 text

No content

Slide 27

Slide 27 text

Active Queues ↪ ↪

Slide 28

Slide 28 text

Problem #3: Security

Slide 29

Slide 29 text

> POST http://localhost:3000

Slide 30

Slide 30 text

> POST http://foo.lvh.me

Slide 31

Slide 31 text

DoS Attack Vector

Slide 32

Slide 32 text

Proving the Source

Slide 33

Slide 33 text

Validation Techniques

Slide 34

Slide 34 text

Key Sharing

Slide 35

Slide 35 text

Request Signing

Slide 36

Slide 36 text

Re-fetch > POST /callback > { id: 123 } > GET /users/123 < { id: 123 } Webhook Callback App Code

Slide 37

Slide 37 text

Security Suggestions

Slide 38

Slide 38 text

Validate your requests. Document it well! Resolve IPs before making request. Consider proxying. Consider subscription validation for high-volume cases.

Slide 39

Slide 39 text

Validate your requests. Document it well! Resolve IPs before making request. Consider proxying. Consider subscription validation for high-volume cases.

Slide 40

Slide 40 text

Validate your requests. Document it well! Resolve IPs before making request. Consider proxying. Consider subscription validation for high-volume cases.