Security considerations
Endpoint Security
HTTPS Requirement
All webhook endpoints must use HTTPS with:
- TLS version 1.2 or higher
- Valid SSL certificate from a trusted Certificate Authority
- Certificate must match your endpoint domain
- Certificate must not be expired
IP Whitelisting
Add SCALAR's IP addresses to your firewall whitelist:
| AWS Region | Environment | IP Addresses |
|---|---|---|
| ap-south-1 | Production | 65.1.41.252, 3.6.20.213, 65.1.30.209 |
| eu-west-1 | Production | 99.80.255.188, 54.170.181.207, 34.254.27.58 |
HMAC Signature Validation
Webhook authenticity is verified through HMAC-SHA256 signatures:
Signature Process
- SCALAR signs each request using your webhook secret
- Signature is included in the X-Webhook-Signature header
- Format: sha256=calculated_hash
Validation Implementation
Always validate signatures before processing events. Example logic:
- Extract the signature from X-Webhook-Signature header
- Read the raw request body
- Calculate HMAC-SHA256 of body using your webhook secret
- Compare calculated hash with provided signature
- Reject request if signatures don't match
Updated about 2 hours ago