Identity Verification

One of the most important ways to secure the identity of your user is Identity Verification. We describe it here.

Webhook Integrity

We recommend you verify the authenticity of webhook events sent to your webhook endpoint. Each TalkJS webhook event is sent with the X-Talkjs-Signature and X-TalkJS-Timestamp header fields; these can be used along with your secret key to verify the integrity and authenticity of TalkJS webhook events by checking the signature as shown below (pseudocode):


recieved_signature = header["X-Talkjs-Signature"];
timestamp = header["X-TalkJS-Timestamp"];

// The raw_post_body MUST be the full byte-for-byte HTTP POST body
payload = timestamp + "." + raw_post_body
valid_signature = HMAC_SHA256(your_secret_key, payload)

if(valid_signature === recieved_signature) {
    // Authentic webhook request
    // do something with the event
} else {
    // The integrity check failed, discard the event 
}

Content Security Policy

Content Security Policy (CSP) is a security layer that helps to detect and protect against certain types of attacks like XSS or clickjacking. If you want to secure your application, which we recommend, then please follow the instructions presented below.

TalkJS uses iframes behind the scenes to create isolation from the customer's website. The only CSP rule that you have to add is frame-src. This property specifies valid sources for nested browsing contexts loading using elements such as iframes.

frame-src: https://*.talkjs.com