Security improvement to Immuta's webhook signature scheme
Immuta is updating the webhook signature scheme to use HMAC-SHA256 instead of HMAC-SHA1.
This change aligns Immuta with current cryptographic best practices and NIST guidance. The webhook payload format and shared secret remain unchanged; only the hashing algorithm used to generate the signature has been updated.
What is changing
Currently, Immuta sends a webhook signature signed with HMAC-SHA1 via the x-immuta-webhook-signature HTTP header. Immuta has begun sending an additional webhook signature signed with HMAC-SHA256 via a new HTTP header, x-immuta-webhook-signature-sha256. As of today, you are able to opt-in to stop receiving webhook signatures using HMAC-SHA1.
Impact to you
Customers that validate webhook signatures must ensure their verification logic supports HMAC-SHA256.
No action is required for customers who do not perform signature validation.
Timeline
The release of this change will follow Immuta’s behavior change release process. The specific dates for each phase in that process are outlined below.
- 1/20: Customers can opt-in to stop receiving a webhook signature signed with HMAC-SHA1.
- 2/20: Immuta will stop sending webhook signatures signed with HMAC-SHA1 by default, but customers can opt-out of this change for this time period.
- 3/20: The change will be generally enabled. It will no longer be possible for webhook signatures to be signed using HMAC-SHA1, and nothing will be sent over the x-immuta-webhook-signature header.
Why this change
While HMAC-SHA1 has not been shown to be practically exploitable in this context, SHA-1 is deprecated and no longer recommended for new designs. This update is a proactive security-hardening measure.
For implementation details, see the updated webhook documentation.
