Communication with the Copyleaks service is conducted via RESTful requests and responses. Some operations involve asynchronous processing, during which a webhook notification is sent upon completion. Since your server must be accessible over the internet to receive webhook notifications, it is crucial to ensure that incoming requests originate from Copyleaks. To verify the authenticity of webhook requests, you can implement one or more of the following security measures.

Authentication via HTTPS Client Certificate

Copyleaks webhook servers support HTTPS connections for secure communication with your endpoints, preventing unauthorized access to transmitted data. To enable this security feature, simply provide an HTTPS endpoint when submitting a file for scanning. To further secure your endpoint, Copyleaks employs SSL client certificates to authenticate webhook requests and confirm they originate from Copyleaks. Self-signed certificates are also supported. To retrieve the latest SSL client certificate thumbprints, use the following REST API request: 
GET https://api.copyleaks.com/v2/security/client-certificates
This authentication method requires an HTTPS-enabled endpoint with SSL support. Non-secure HTTP connections do not support this feature.
Since this list is dynamic and subject to change, we recommend setting up an automated process to update your environment daily.

Authentication via Developer Payload

An alternative method to prevent unauthorized access is by utilizing the properties.developerPayload field. To implement this:
  1. Set the developerPayload value to a unique, secret string known only to you.
  2. When receiving a webhook request, verify that the developerPayload in the request matches the expected value.
  3. For enhanced security, consider encrypting the secret string with a private key known only to your system.
By employing these authentication methods, you can safeguard your webhook endpoints and ensure secure communication with Copyleaks.

Configuring Web Application Firewalls (WAF)

Many users have security measures such as AWS WAF, Cloudflare, or other Web Application Firewalls (WAF) in place, which may block webhook requests if they appear suspicious. If you are not receiving webhook notifications, it may be due to your WAF filtering the requests.

Exclude Copyleaks Webhook Requests from WAF

To resolve this, allow Copyleaks’ webhooks by adding a custom header to the requests and configuring your WAF to allow requests containing this header. This ensures that webhook notifications are received without interference from security mechanisms. By employing these authentication methods and considering WAF exclusions, you can safeguard your webhook endpoints and ensure secure, uninterrupted communication with Copyleaks.

Static IP Addresses for Webhook Delivery Enterprise

For an enhanced layer of security, we offer enterprise customers the option to receive all webhook notifications from a static, predefined list of IP addresses. Enabling this feature allows you to configure your firewall to accept incoming traffic exclusively from our trusted servers, a practice known as IP allowlisting. This significantly reduces the risk of spoofing and ensures that your systems only process legitimate, verified requests from our platform. To have this feature enabled and to receive the list of static IPs for allowlisting, please contact your account manager.

Next Steps

Webhooks Overview

Learn about the different types of webhooks and how to configure them.

Technical Specifications

Review the technical specifications, including security considerations for API interactions.

Export Method

Understand how to export scan results, often delivered via webhooks.