问题
I am playing around with developing a chatbot on facebook messenger platform. I went through the Facebook document and couldn't find how to protect my webhook from random calls.
For example, if users can buy stuffs with my bots, an attacker that knows someone's userId can start placing unauthorized orders by making calls to my webhook.
I have several ideas on how to protect this.
1) Whitelist my api to only calls from facebook.
2) Create something like CSRF tokens with the postback calls.
Any ideas?
回答1:
Facebook has of course already implemented a mechanism by which you can check if requests made to your callback URL are genuine (everything else would just be negligence on their part) – see https://developers.facebook.com/docs/graph-api/webhooks#receiveupdates:
The HTTP request will contain an
X-Hub-Signatureheader which contains the SHA1 signature of the request payload, using the app secret as the key, and prefixed withsha1=. Your callback endpoint can verify this signature to validate the integrity and origin of the payloadPlease note that the calculation is made on the escaped unicode version of the payload, with lower case hex digits. If you just calculate against the decoded bytes, you will end up with a different signature. For example, the string
äöåshould be escaped to\u00e4\u00f6\u00e5.
来源:https://stackoverflow.com/questions/36620841/what-is-the-best-practice-to-secure-your-facebook-chatbot-webhook