What's New
Enhanced Webhook HMAC Signatures
- Replay protection:
X-CertMate-Signaturenow includes a timestamp — format:t=<unix_ts>,v1=<hex_digest> - Signature is computed over
{timestamp}.{body}using HMAC-SHA256 - Receivers should verify the timestamp is within 5 minutes to prevent replay attacks
Custom HTTP Headers
- Generic webhooks now support custom HTTP headers (e.g.,
X-Custom-Auth, routing headers) - Configure per-webhook in Settings → Notifications → Webhooks
Webhook Delivery Log
- All webhook deliveries are logged to
data/webhook_deliveries.jsonl - New API endpoint:
GET /api/webhooks/deliveries?limit=50 - Each entry includes: timestamp, webhook name, event, HTTP status, attempts, duration, errors
- Auto-truncates to last 1000 entries
Per-Webhook Event Filtering (UI)
- Each webhook can now filter which events it receives directly from the settings UI
- Leave empty to receive all events (backward compatible)
Delivery History Viewer
- New "Recent Deliveries" section in notification settings shows delivery history with status, attempts, and errors
Breaking Change
X-CertMate-Signatureheader format changed from plain hex digest tot=<timestamp>,v1=<hex>. Update any receivers that parse this header.
Full Changelog: v1.10.4...v1.10.5