Upcoming behavior change: Security improvement to Immuta's webhook signature scheme
Immuta is updating the webhook signature scheme to use HMAC-SHA256 instead of HMAC-SHA1. The webhook payload format and shared secret remain unchanged; only the hashing algorithm used to generate the signature has been updated.
This change was originally scheduled for February 20 and has been extended to March 16.
What is changing
- Currently, Immuta sends a webhook signature signed with HMAC-SHA1 via the x-immuta-webhook-signature HTTP header.
- Immuta has begun sending an additional webhook signature signed with HMAC-SHA256 via a new HTTP header, x-immuta-webhook-signature-sha256.
- Beginning March 16, Immuta will stop sending webhook signatures signed with HMAC-SHA1 for all customers who have not opted out before that date. Contact your Immuta representative to opt out.
Impact to you
Customers that validate webhook signatures must ensure their verification logic supports HMAC-SHA256. No action is required for customers who do not perform signature validation.
Timeline
The release of this change will follow Immuta’s behavior change release process. The specific dates for each phase in that process are outlined below.
- 1/20: Customers can opt-in to stop receiving a webhook signature signed with HMAC-SHA1.
- 3/16: Immuta will stop sending webhook signatures signed with HMAC-SHA1 by default, but customers can opt-out of this change for this time period.
- 4/16: The change will be generally enabled. It will no longer be possible for webhook signatures to be signed using HMAC-SHA1, and nothing will be sent over the x-immuta-webhook-signature header.
Why this change
While HMAC-SHA1 has not been shown to be practically exploitable in this context, SHA-1 is deprecated and no longer recommended for new designs. This update is a proactive security-hardening measure.
For implementation details, see the updated webhook documentation.
