How Maxsight signs check requests
This topic illustrates how Maxsight signs check requests to an integration.
For details on how you can validate these requests, see Validate check requests from Maxsight.
All communication to and from Maxsight is performed using HTTPS with TLS. TLS is a security protocol designed to provide privacy and data integrity for Internet communications.
Authentication in Maxsight is done using the HTTP signatures draft standard, version 12.
An Authorization header is created with a signature that can be validated by the client to ensure the request came from the correct source.
Note
In order to create this signature, Maxsight uses a shared SECRET_KEY between the integration and Maxsight.
The following headers and values are used in this order to create the signature, which is used in the Authorization header:
Headers | Description | Example |
|---|---|---|
(request-target) | The request method and target; everything after the top-level domain. | post /test/checks |
| The host URL; up to the top-level domain. | example.com |
| The datetime the request was sent. This is in UTC timezone in the format shown in the example. | Tue, 24 Oct 2023 12:24:50 UTC |
| The Base64 encoded, SHA-256 hash digest signature of the payload. | SHA-256=iUb8nTIV11s3kT6mJoI29pak8F66/r7wYX6QYeddMl8= |
Note
There is no digest if the request has no payload, such as when GET requests are used, for example to the integration /config endpoint.