保护您的 facebook chatbot webhook 的最佳做法是什么? [英] What is the best practice to secure your facebook chatbot webhook?
问题描述
我正在尝试在 facebook messenger 平台上开发聊天机器人.我浏览了 Facebook 文档,但找不到如何保护我的 webhook 免受随机调用的影响.
例如,如果用户可以使用我的机器人购买东西,那么知道某人用户 ID 的攻击者就可以通过调用我的 webhook 开始下未经授权的订单.
关于如何保护它,我有几个想法.
<块引用>- 将我的 API 列入白名单,只允许来自 Facebook 的调用.
- 创造一些东西就像带有回发调用的 CSRF 令牌一样.
有什么想法吗?
Facebook 当然已经实现了一种机制,您可以通过该机制检查对回调 URL 的请求是否真实(其他一切都只是他们的疏忽)– 参见 https://developers.facebook.com/docs/graph-api/webhooks#receiveupdates:
<块引用>HTTP 请求将包含一个 X-Hub-Signature 标头,其中包含请求负载的 SHA1 签名,使用应用程序密钥作为密钥,并以 sha1= 为前缀代码>.您的回调端点可以验证此签名以验证有效负载的完整性和来源
请注意,计算是在转义的 unicode 版本的负载上进行的,使用小写的十六进制数字.如果你只是根据解码的字节进行计算,你最终会得到一个不同的签名.例如,字符串 äöå 应该转义为 \u00e4\u00f6\u00e5.
I am playing around with developing a chatbot on facebook messenger platform. I went through the Facebook document and couldn't find how to protect my webhook from random calls.
For example, if users can buy stuff with my bots, an attacker that knows someone's userId can start placing unauthorized orders by making calls to my webhook.
I have several ideas on how to protect this.
- Whitelist my API to only calls from Facebook.
- Create something like CSRF tokens with the postback calls.
Any ideas?
Facebook has of course already implemented a mechanism by which you can check if requests made to your callback URL are genuine (everything else would just be negligence on their part) – see https://developers.facebook.com/docs/graph-api/webhooks#receiveupdates:
The HTTP request will contain an
X-Hub-Signatureheader which contains the SHA1 signature of the request payload, using the app secret as the key, and prefixed withsha1=. Your callback endpoint can verify this signature to validate the integrity and origin of the payloadPlease note that the calculation is made on the escaped unicode version of the payload, with lower case hex digits. If you just calculate against the decoded bytes, you will end up with a different signature. For example, the string
äöåshould be escaped to\u00e4\u00f6\u00e5.
这篇关于保护您的 facebook chatbot webhook 的最佳做法是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
