Security signature

Add an extra layer of security to your data

Napisany przez Konstantine

Zaktualizowano 4 dni temu

What is a Security Signature?

A security signature is a unique, cryptographic key used to validate the authenticity and integrity of requests sent to a server or service. It ensures that the communication between your application and the HelpCrunch system is secure and protected from unauthorized access or tampering.

Security signatures are typically generated using a combination of an organization secret and the user data. This approach ensures that the signature is unique to each request, making it difficult for malicious actors to replicate or reuse it.

Best Practices for Handling Security Signatures

Do Not Expose the Key Publicly
Avoid publishing the key in open repositories, screenshots, or documentation.
Do Not Use the Key on the Client Side
Perform all operations requiring the key exclusively on the server side.

Before enabling the security signature:

Configure the User Authentication Mode.
Disable Pre-chat and offline forms.

How to Use a Security Signature

⚠️ Before you begin, please note that all chats created without a security signature or with an improperly signed one will stop working once the security signature is enabled. Ensure all user data is correctly signed to prevent interruptions.

You are fully responsible for any outages caused by improper configuration of this feature.

Enable Security Signature
Once you enable the security signature In Settings→Developers→Security, you'll receive your organization secret key. Keep this key secure - it's essential for hashing and verification.
Generate the Signature
● Take the user data from the user object.
● Convert the data to a JSON string.
● Append the organization secret key to the JSON string.
● Hash the combined string using the MD5 algorithm.
Send Data to the Widget
● Pass the user data to the HelpCrunch widget (see example).
● Include the generated MD5 signature from Step 2 in your request.
Test your configuration
To ensure everything is functioning correctly, try to initiate a new chat as both an anonymous visitor and a registered user from the client's perspective. If the messages are received successfully and there are no errors in the browser console, then everything is likely in order.

⚠️ Important: Ensure that the user data is hashed in the exact order it is sent to the HelpCrunch backend. Any mismatch in the order will result in a `403 Forbidden` error.

PHP example for the init or updateUser methods with security signature:

<?php
    $user = [
        'email' => '[email protected]',
        'name' => 'The Name',
        'user_id' => '12345',
        'phone' => '+49123221312',
    ];
    $signature = md5(json_encode($user) . 'your organization secret');
?>

HelpCrunch('init', 'your organization domain', {
  appId: 'c2c067be-6678-4d0a-8c1c-4f9fad8e4b91',
  user: {
    email: '<?= $user['email'] ?>',
    name: '<?= $user['name'] ?>',
    user_id: '<?= $user['user_id'] ?>',
    phone: '<?= $user['phone'] ?>'
  },
  signature: '<?= $signature ?>'
});

Czy odpowiedzieliśmy na Twoje pytanie?