Security
eCourtDate provides two layers of security for webhook delivery. Both are recommended for production environments.
IP Whitelisting
IP allowlisting (also called whitelisting) means configuring your systems to only accept incoming requests from specific, known IP addresses — like a guest list at the door. Any request from an IP address not on the list is automatically rejected, preventing unauthorized systems from sending fake webhook data to your endpoint.
Restrict incoming requests to only eCourtDate's webhook IP addresses. The specific IPs are provided in the Console when you create a webhook. Add these addresses to your firewall or application-level allowlist to reject any requests originating from unknown sources.
HMAC Signature Verification
HMAC signature verification is like a tamper-proof seal on a package. eCourtDate attaches a cryptographic signature to every webhook request using a shared secret that only you and eCourtDate know. When you receive a webhook, you recalculate the signature and compare it — if they match, you know the message genuinely came from eCourtDate and wasn't modified in transit.
Each webhook request includes an X-ECD-Signature header containing an HMAC-SHA256 signature computed from the request body. The shared secret used to generate this signature is configured in the Console and can be up to 24 characters in length.
By verifying this signature on your end, you can confirm that the request was sent by eCourtDate and that the payload has not been tampered with in transit.
See Verification for implementation details and code examples.
Recommended Security Headers
Configure your webhook endpoint to return the following response headers:
| Header | Value |
|---|---|
Content-Security-Policy | default-src 'none' |
X-Content-Type-Options | nosniff |
X-Frame-Options | DENY |
X-XSS-Protection | 1; mode=block |
Strict-Transport-Security | max-age=31536000; includeSubDomains |
These headers harden your endpoint against common web vulnerabilities and signal to clients and proxies that the endpoint is security-conscious.
Next Steps
- Verification -- implement HMAC signature verification in your application
- Implementation Examples -- see a complete server with IP whitelisting and signature checks