# Webhooks Security

> Learn how to secure your Copyleaks webhook endpoints against unauthorized access and ensure reliable communication.

Communication with the Copyleaks service is conducted via RESTful requests and responses. Some operations involve asynchronous processing, during which a webhook notification is sent upon completion.  

Since your server must be accessible over the internet to receive webhook notifications, it is crucial to ensure that incoming requests originate from Copyleaks. To verify the authenticity of webhook requests, you can implement one or more of the following security measures.  

## Authentication via HTTPS Client Certificate  

Copyleaks webhook servers support **HTTPS connections** for secure communication with your endpoints, preventing unauthorized access to transmitted data. To enable this security feature, simply provide an **HTTPS endpoint** when submitting a file for scanning.  

To further secure your endpoint, Copyleaks employs **SSL client certificates** to authenticate webhook requests and confirm they originate from Copyleaks. Self-signed certificates are also supported.  

To retrieve the latest SSL client certificate thumbprints, use the following REST API request:  
```http
GET https://api.copyleaks.com/v2/security/client-certificates
```
<Note>
This authentication method requires an HTTPS-enabled endpoint with SSL support. Non-secure HTTP connections do not support this feature.  
</Note>
Since this list is **dynamic** and subject to change, we recommend setting up an automated process to update your environment daily.  

## Authentication via Developer Payload  

An alternative method to prevent unauthorized access is by utilizing the `properties.developerPayload` field. To implement this:  

1. Set the `developerPayload` value to a unique, secret string known only to you.  
2. When receiving a webhook request, verify that the `developerPayload` in the request matches the expected value.  
3. For enhanced security, consider encrypting the secret string with a private key known only to your system.  

By employing these authentication methods, you can safeguard your webhook endpoints and ensure secure communication with Copyleaks.  

## Configuring Web Application Firewalls (WAF)
Many users have security measures such as AWS WAF, Cloudflare, or other Web Application Firewalls (WAF) in place, which may block webhook requests if they appear suspicious. If you are not receiving webhook notifications, it may be due to your WAF filtering the requests.

### Exclude Copyleaks Webhook Requests from WAF
To resolve this, allow Copyleaks' webhooks by adding a custom header to the requests and configuring your WAF to allow requests containing this header. This ensures that webhook notifications are received without interference from security mechanisms.

By employing these authentication methods and considering WAF exclusions, you can safeguard your webhook endpoints and ensure secure, uninterrupted communication with Copyleaks.

## Static IP Addresses for Webhook Delivery <Badge>Enterprise</Badge>
For an enhanced layer of security, we offer enterprise customers the option to receive all webhook notifications from a static, predefined list of IP addresses. Enabling this feature allows you to configure your firewall to accept incoming traffic exclusively from our trusted servers, a practice known as IP allowlisting. This significantly reduces the risk of spoofing and ensures that your systems only process legitimate, verified requests from our platform. To have this feature enabled and to receive the list of static IPs for allowlisting, please contact your account manager.

## Next Steps

<CardGroup cols={2}>
  <Card title="Webhooks Overview" icon="plug" href="/reference/data-types/authenticity/webhooks/overview/">Learn about the different types of webhooks and how to configure them.</Card>
  <Card title="Technical Specifications" icon="gauge-high" href="/reference/data-types/authenticity/technical-specifications/">Review the technical specifications, including security considerations for API interactions.</Card>
  <Card title="Export Method" icon="file-export" href="/reference/actions/downloads/export/">Understand how to export scan results, often delivered via webhooks.</Card>
</CardGroup>
