Skip to main content

Security

Webhook signature verification

Every webhook from ShieldLabs is signed with HMAC-SHA256. Always verify the Assing field before processing the payload. 
function verifyWebhook(data, assing, secret) {
  const body = JSON.stringify(data);
  const expected = crypto.createHmac('sha256', secret).update(body).digest('hex');
  return crypto.timingSafeEqual(Buffer.from(assing, 'hex'), Buffer.from(expected, 'hex'));
}
See Webhooks for implementations in Go, Python, and PHP.

Key management

  • Public Key: safe to expose in browser HTML/JS
  • Secret Key: never expose client-side; store in environment variables or a secrets manager
  • Rotate keys immediately if compromised — use Dashboard → Domain → Rotate Keys

Transport security

  • All ShieldLabs endpoints use HTTPS with TLS 1.2+
  • Your webhook endpoint must use HTTPS
  • WebSocket connections use WSS

Data minimization

ShieldLabs collects only what is needed for fraud detection:
  • No raw user identifiers (your UserHID must be hashed)
  • No browsing history
  • No cookies
  • IP address is processed server-side only (not exposed to the browser)

Responsible disclosure

If you discover a security vulnerability in ShieldLabs, please report it to security@shieldlabs.ai. Do not publicly disclose until we have confirmed and patched the issue.