What is the best practice to secure your facebook chatbot webhook?

Question

I am playing around with developing a chatbot on facebook messenger platform. I went through the Facebook document and couldn't find how to protect my webhook from random calls.

For example, if users can buy stuff with my bots, an attacker that knows someone's userId can start placing unauthorized orders by making calls to my webhook.

I have several ideas on how to protect this.

1. Whitelist my API to only calls from Facebook.
2. Create something like CSRF tokens with the postback calls.

Any ideas?

Answer 1

Facebook has of course already implemented a mechanism by which you can check if requests made to your callback URL are genuine (everything else would just be negligence on their part) – see https://developers.facebook.com/docs/graph-api/webhooks/getting-started#validate-payloads

We sign all Event Notification payloads with a SHA256 signature and include the signature in the request's X-Hub-Signature-256 header, preceded with sha256=. You don't have to validate the payload, but you should.

To validate the payload:

1. Generate a SHA256 signature using the payload and your app's App Secret.
2. Compare your signature to the signature in the X-Hub-Signature-256 header (everything after sha256=). If the signatures match, the payload is genuine.

Please note that we generate the signature using an escaped unicode version of the payload, with lowercase hex digits. If you just calculate against the decoded bytes, you will end up with a different signature. For example, the string äöå should be escaped to \u00e4\u00f6\u00e5.