Webhook security is critical to ensure that requests to your endpoint are actually coming from Firecrawl and haven’t been tampered with. This page covers how to verify webhook authenticity and implement security best practices.
Why Webhook Security Matters
Without proper verification, attackers could:
- Send fake webhook requests to trigger unwanted actions
- Modify payload data to manipulate your application
- Overload your webhook endpoint with requests
How Firecrawl Signs Webhooks
Firecrawl signs every webhook request using HMAC-SHA256 encryption with your account’s secret key. This creates a unique signature for each request that proves:
- The request came from Firecrawl
- The payload hasn’t been modified
Finding Your Secret Key
Your webhook secret is available under the Advanced tab of your account settings. Each account has a unique secret that’s used to sign all webhook requests.
Keep your webhook secret secure and never expose it publicly. If you believe
your secret has been compromised, regenerate it immediately from your account
settings.
Signature Verification
How Signatures Work
Each webhook request includes an X-Firecrawl-Signature
header with this format:
X-Firecrawl-Signature: sha256=abc123def456...
The signature is computed as follows:
- Take the raw request body (JSON string)
- Create HMAC-SHA256 hash using your secret key
- Convert to hexadecimal string
- Prefix with
sha256=
Implementation Examples
import crypto from 'crypto';
import express from 'express';
const app = express();
// Use raw body parser for signature verification
app.use('/webhook/firecrawl', express.raw({ type: 'application/json' }));
app.post('/webhook/firecrawl', (req, res) => {
const signature = req.get('X-Firecrawl-Signature');
const webhookSecret = process.env.FIRECRAWL_WEBHOOK_SECRET;
if (!signature || !webhookSecret) {
return res.status(401).send('Unauthorized');
}
// Extract hash from signature header
const [algorithm, hash] = signature.split('=');
if (algorithm !== 'sha256') {
return res.status(401).send('Invalid signature algorithm');
}
// Compute expected signature
const expectedSignature = crypto
.createHmac('sha256', webhookSecret)
.update(req.body)
.digest('hex');
// Verify signature using timing-safe comparison
if (!crypto.timingSafeEqual(Buffer.from(hash, 'hex'), Buffer.from(expectedSignature, 'hex'))) {
return res.status(401).send('Invalid signature');
}
// Parse and process verified webhook
const event = JSON.parse(req.body);
console.log('Verified Firecrawl webhook:', event);
res.status(200).send('ok');
});
app.listen(3000, () => console.log('Listening on 3000'));
Step-by-Step Verification
- Extract the signature from the
X-Firecrawl-Signature
header
- Get the raw request body as received (don’t parse it first)
- Compute HMAC-SHA256 using your secret key and the raw body
- Compare signatures using a timing-safe comparison function
- Only process the webhook if signatures match
Security Best Practices
Always Validate Signatures
Never trust a webhook request without signature verification:
// ❌ BAD - No verification
app.post('/webhook', (req, res) => {
processWebhook(req.body); // Dangerous!
res.status(200).send('OK');
});
// ✅ GOOD - Verified first
app.post('/webhook', (req, res) => {
if (!verifySignature(req)) {
return res.status(401).send('Unauthorized');
}
processWebhook(req.body);
res.status(200).send('OK');
});
Use Timing-Safe Comparisons
Standard string comparison can leak timing information. Use dedicated functions:
- Node.js:
crypto.timingSafeEqual()
- Python:
hmac.compare_digest()
- Other languages: Look for “constant-time” or “timing-safe” comparison functions
Require HTTPS
Always use HTTPS endpoints for webhooks:
{
"url": "https://your-app.com/webhook" // ✅ Secure
}
{
"url": "http://your-app.com/webhook" // ❌ Insecure
}