| Security control | Priority | Description |
|---|---|---|
| Public endpoint URL | Mandatory | Ensure your endpoint is publicly accessible over HTTPS. |
| IP whitelisting | Highly recommended | Restrict traffic to Cashfree’s IP ranges. |
| Signature verification | Highly recommended | Verify HMAC signature for each request. |
| Secure Sockets Layer (SSL) whitelisting | Optional | Configure mutual TLS for enhanced security. |
| Authentication validation | Optional | Add custom authentication for additional protection. |
Public endpoint URL
Your webhook endpoint must be publicly accessible over the internet for Cashfree to deliver notifications. Use this as your foundation and apply the security controls described in the following sections to protect the integration.Ensure your endpoint URL uses HTTPS to encrypt data during transmission.
IP whitelisting
Restrict inbound traffic to accept requests only from Cashfree’s known IP ranges. This control ensures your endpoint receives webhooks exclusively from legitimate Cashfree sources. To configure IP whitelisting, complete the following steps:- Obtain the list of Cashfree’s published IP addresses from the Security features documentation.
- Configure your firewall rules to allow requests only from these IP ranges.
- Block all other inbound traffic to your webhook endpoint.
Signature verification
All webhook notifications include a cryptographic signature using HMAC-based validation. Verify this signature to confirm the authenticity and integrity of each request. To implement signature verification, follow these guidelines:- Serve your webhook endpoint over HTTPS to protect data during transmission.
- Extract the signature from the webhook request headers.
- Verify the signature against the raw request body using your secret key.
- Receive the payload as raw data to prevent modifications before verification.
Required headers
Validate the following mandatory headers in each webhook request:| Header | Description |
|---|---|
x-webhook-signature | The cryptographic signature for payload verification. |
x-webhook-timestamp | The timestamp when the webhook was generated. |
x-webhook-version | The API version of the webhook payload. |
For detailed implementation examples with SDK and manual verification code samples, refer to Webhook signature verification.
SSL whitelisting
For enhanced transport-level security, configure mutual TLS (mTLS) authentication between your systems and Cashfree. To enable SSL whitelisting, you can:- Provide your SSL certificate to Cashfree for addition to their trusted certificate sources.
- Add Cashfree’s certificate to your system’s trusted certificates.
SSL whitelisting is an optional security layer. Contact Cashfree support to configure mutual TLS authentication for your account.
Authentication validation
If your endpoint requires custom authentication, configure Cashfree to include the necessary credentials in webhook requests. Cashfree supports the following authentication methods:- Basic authentication: Username and password credentials
- Bearer tokens: Token-based authentication
- Custom headers: Application-specific authentication parameters
- Share the required authentication parameters with Cashfree.
- Implement server-side validation to verify the authentication fields in request headers.
- Reject requests that fail authentication checks.