Webhook Authentication

[CloudPress]

Looking at the webhook docs for Inbound processing I do not see anyway for postmark to authenticate itself so my webhook can know its a legitimate message from postmark. Not that I expect to get a non-legitimate email posting that did not come from postmark is always good just to make sure.

[Milan Gornik]

Hi,

To make sure post is really coming from Postmark, you might use basic authentication scheme with your inbound hook URL. So your inbound hook URL set in Postmark will look something like:

https://username:password@yourhostname/inboundhook

This way, access to your inbound hook is protected by username and password. Of course, your web app needs to prevent access for any other credentials. Also, secure protocol will be used, so this is a good way to protect your hook. You may want to read additional sources on security strength with HTTPS/basic auth, like: http://stackoverflow.com/questions/1837627/is-basic-auth-with-ssl-secure-enough

Regards,

Milan Gornik

Postmark developer, Wildbit

http://twitter.com/milan_gornik