Back to Documentation

Webhooks

Receive real-time fraud alerts in your own systems via HTTP webhooks.

Overview

Webhooks allow you to receive real-time notifications when ClickDefender detects suspicious or fraudulent activity. Configure up to 5 webhooks per property to integrate with your CRM, Slack, or custom systems.

Max 5 webhooks
per property
3 event types
to subscribe to
HMAC-SHA256
signature verification

Event Types

fraud_detected

Triggered immediately when a visitor is classified as FRAUD (score 70+)

{
  "event": "fraud_detected",
  "timestamp": "2024-01-05T14:30:00Z",
  "property": {
    "id": "prop_abc123",
    "name": "My Landing Page"
  },
  "visitor": {
    "id": "vis_xyz789",
    "ip": "192.168.1.100",
    "country": "US",
    "userAgent": "Mozilla/5.0..."
  },
  "decision": {
    "score": 85,
    "label": "FRAUD",
    "action": "BLOCK",
    "reasons": [
      {"rule": "datacenter_ip", "score": 25},
      {"rule": "rapid_clicks", "score": 30},
      {"rule": "honeypot", "score": 40}
    ]
  }
}

high_risk_visitor

Triggered when a visitor is classified as SUSPICIOUS (score 40-69)

{
  "event": "high_risk_visitor",
  "timestamp": "2024-01-05T14:30:00Z",
  "property": {
    "id": "prop_abc123",
    "name": "My Landing Page"
  },
  "visitor": {
    "id": "vis_xyz789",
    "score": 55,
    "label": "SUSPICIOUS"
  }
}

daily_summary

Sent once daily with aggregated fraud statistics

{
  "event": "daily_summary",
  "timestamp": "2024-01-05T00:00:00Z",
  "property": {
    "id": "prop_abc123",
    "name": "My Landing Page"
  },
  "summary": {
    "date": "2024-01-04",
    "totalVisitors": 1250,
    "cleanCount": 1180,
    "suspiciousCount": 45,
    "fraudCount": 25,
    "fraudRate": "2.0%",
    "topRules": [
      {"rule": "datacenter_ip", "count": 15},
      {"rule": "vpn_detected", "count": 8}
    ]
  }
}

Signature Verification

Every webhook request includes an X-ClickDefender-Signature header containing an HMAC-SHA256 signature. Always verify this signature to ensure the request came from ClickDefender.

Security Warning: Your webhook secret is only shown once when you create the webhook. Store it securely—it cannot be retrieved later.

Node.js Example

const crypto = require('crypto');

function verifyWebhookSignature(payload, signature, secret) {
  const expectedSignature = crypto
    .createHmac('sha256', secret)
    .update(payload, 'utf8')
    .digest('hex');

  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expectedSignature)
  );
}

// In your webhook handler:
app.post('/webhook', (req, res) => {
  const signature = req.headers['x-clickdefender-signature'];
  const payload = JSON.stringify(req.body);

  if (!verifyWebhookSignature(payload, signature, WEBHOOK_SECRET)) {
    return res.status(401).send('Invalid signature');
  }

  // Process the webhook...
  const event = req.body;
  console.log('Received:', event.event);

  res.status(200).send('OK');
});

Python Example

import hmac
import hashlib

def verify_webhook_signature(payload: str, signature: str, secret: str) -> bool:
    expected = hmac.new(
        secret.encode('utf-8'),
        payload.encode('utf-8'),
        hashlib.sha256
    ).hexdigest()
    return hmac.compare_digest(signature, expected)

# In your Flask handler:
@app.route('/webhook', methods=['POST'])
def handle_webhook():
    signature = request.headers.get('X-ClickDefender-Signature')
    payload = request.get_data(as_text=True)

    if not verify_webhook_signature(payload, signature, WEBHOOK_SECRET):
        return 'Invalid signature', 401

    event = request.json
    print(f"Received: {event['event']}")

    return 'OK', 200

Setting Up Webhooks

  1. Navigate to Property Settings

    Go to your property in the dashboard and click the Settings tab.

  2. Open Webhooks Section

    Scroll down to the Webhooks section and click "Add Webhook".

  3. Configure Your Webhook

    Enter your endpoint URL (must be HTTPS) and select which events to subscribe to.

  4. Save the Secret

    Copy and securely store the webhook secret—it's only shown once.

  5. Test Your Integration

    Use the "Send Test" button to verify your endpoint receives and processes webhooks correctly.

Retry Policy

If your endpoint returns a non-2xx status code or times out (30 second limit), ClickDefender will retry the webhook with exponential backoff:

  • 1st retry: 1 minute after initial failure
  • 2nd retry: 5 minutes after 1st retry
  • 3rd retry: 30 minutes after 2nd retry
  • 4th retry: 2 hours after 3rd retry
  • Final retry: 24 hours after 4th retry

After 5 failed attempts, the webhook delivery is marked as failed. You can view delivery history in your property settings.

Best Practices

  • 1.Always verify signatures — Never process a webhook without validating its signature.
  • 2.Respond quickly — Return a 200 status immediately, then process asynchronously if needed.
  • 3.Handle duplicates — Use the event ID to deduplicate in case of retries.
  • 4.Use HTTPS — Webhook URLs must use HTTPS for security.
  • 5.Monitor delivery — Check the webhook delivery log periodically for failures.

Need Help?

Questions about webhooks? We're here to help.