Security

Webhook signature verification

Every webhook from ShieldLabs is signed with HMAC-SHA256. Always verify the Assing field before processing the payload.

function verifyWebhook(data, assing, secret) {
  const body = JSON.stringify(data);
  const expected = crypto.createHmac('sha256', secret).update(body).digest('hex');
  return crypto.timingSafeEqual(Buffer.from(assing, 'hex'), Buffer.from(expected, 'hex'));
}

See Webhooks for implementations in Go, Python, and PHP.

Key management

Public Key: safe to expose in browser HTML/JS
Secret Key: never expose client-side; store in environment variables or a secrets manager
Rotate keys immediately if compromised — both public and secret keys change; update snippet and HMAC verification
JWT refresh token stored in HTTP-only cookie on account.shieldlabs.ai

Transport security

All ShieldLabs endpoints use HTTPS with TLS 1.2+
Your webhook endpoint must use HTTPS
WebRTC uses WSS and UDP STUN

Data minimization

No raw user identifiers (UserHID must be hashed)
First-party visitorID cookie for visitor persistence
IP processed server-side; sent to ipapi.is for classification

Responsible disclosure

If you discover a security vulnerability in ShieldLabs, please report it to security@shieldlabs.ai. Do not publicly disclose until we have confirmed and patched the issue.

Rules Privacy & GDPR

​Security

​Webhook signature verification

​Key management

​Transport security

​Data minimization

​Responsible disclosure