Skip to main content

Security

Validating Origin Signature

In order to ensure that the request to your specified target system is sent by ServerlessQ, a x-serverlessq-signature header is attached to the request. This header contains the sha256 hashed payload target with your API token as the secret.

For example, you can validate our request like this:

// pages/api/queue/vercel

import { Queue } from "@serverlessq/nextjs";
import { createHmac } from "crypto";
import { NextApiRequest } from "next";

const TARGET = "your-target-url";

const verifySignature = (req: NextApiRequest, payload: string) => {
const signature = createHmac("sha256", process.env.SERVERLESSQ_API_TOKEN!)
.update(payload)
.digest("hex");
return signature === req.headers["x-serverlessq-signature"];
};

export default Queue(
"Vercel Queue",
"api/queue/vercel",
async (req, res) => {
if (!verifySignature(req, JSON.stringify({ target: TARGET }))) {
res.status(403).json({
code: `invalid_signature`,
error: `signature didn't match`,
});
}
const result = await doSomethingImportant();

res.status(200).json({ code: "success", result });
},
{ retries: 1 } // optionally: urlToOverrideWhenRunningLocalhost: TARGET
);

Alternatively you could use the new middleware functionality by NextJS.