Webhook metadata, such as the notification ID, timestamp etc… that’s all sent in as headers as it’s not part of the payload itself.
Thank you, that helps. I totally missed these values because they were not mentioned in the docs.
To differentiate topic notifications, such as offline streams which have identical payloads, you should use different callback URLs. For example:
https://mydomain.com/webhooks/streams/12345orhttps://mydomain.com/webhooks/streams?user=12345
I am already using different callback URLs for different streams, that’s basically the only way to differentiate offline stream events right now.
However, there is still this thing with predictable signatures and replay attacks.
I guess this is a “problem” of WebSub itself, and without the hub including a unique nonce or a timestamp that can also be validated by the subscriber to really be unique, this is impossible to prevent.
So I assume the only way to prevent this attack is to use non-guessable callback URL paths together with HTTPS to prevent attackers from even seeing the requests and replay them, am I right?