Hello the community.

We're actually testing the webhook integration in Qlik SaaS, following the documentation.

The doc explains that you can configure a secret, that is used to sign the payload of the events for consistency and security. Then the signature is added to the qlik-signature header field of the request. You can then compute the signature on the webhook side and compare it with the one in the header to validate the payload. The problem is that there is nowhere in the doc you can find the way to sign the payload the same way it's done on the Qlik side (if there is, I didn't find it).

I opened a ticket to the support, they are looking for the answer with the R&D team. In parallel I made some tests and I think I have the answser so I post it here. You can easily reproduce this with a tool like Notepad++ and the NppCrypt plugin, by minifying the payload (that you will find in the Qlik console below your webhook config), selecting all the string then hashing the string with these parameters :

- Hashing algo : SHA-2

- Encoding : Hex

- Digest : 256 bits

- HMAC key : the secret you configured in the webhook config in Qlik

Then compare the hash with the qlik-signature header field, case insensitive.

I tested it with some events and it seems good. The support or R&D team could confirm that I'm right using this algo. It's easy to find some code on the web for achieving this on the webhook side, for instance omething like this in NodeJS (here in SHA1 for the github webhook signature but the principle is the same, just adapt).

Hoping it will help you all to secure your webhook endpoints 🙂

Enjoy the webhooks for easy integration with your ecosystem !

Julien