Hi,
I’m hitting the same issue as this thread: Webhook has empty x-shiphero-hmac-sha256 signature . PO Update and other webhooks on the same account sign fine.
Tried re-registering under both the 3PL and customer accounts, with and without customer_account_id. No change.
Can someone from ShipHero confirm if this is a known bug on Order Canceled, and what the recommended verification approach is in the meantime?
Thanks in advance,
I’m the OP of the thread you linked. I had to use the user_agent as a validation method to verify that the request is coming from Ship Hero.
Thanks @kevchcm, greatly appreciate your response!
I will definitely consider using that as an initial filter.
I do hope that ShipHero responds to this matter because the absence of the hmac signature still leaves us vulnerable to spoofing, especially when dealing with a webhook that signals order cancellations.