User Agent Header
The user agent header is determined by the underlying framework we use for http connections. It could change as we periodically upgrade our framework or apply security patches. Thus, we do not recommend using the user agent header as a way to restrict POSTing to your endpoint or we may be unable to deliver alerts.
Cirium Alert key/hash Headers
Alternatively, we suggest customers to use the Cirium Alert key/hash headers feature documented here:
https://developer.cirium.com/apis/flightstats-apis/flight-alerts
On the above page, you'll find the following excerpt.
------------------------
When the alert POST is sent, we include two header fields:
- Cirium-Flex-Alert-Key - A pipe (|) concatenated string of the alert fields listed below.
- Example: MQ|3424|ORD|CLE|ARRIVAL_DELAY|2020-04-07T16:16:39.388Z
- The carrier FS code: alert.flightStatus.carrierFsCode (alert.flightStatus.carrier.fs if using inlined references)
- The flight number: alert.flightStatus.flightNumber
- The departure airport FS code: alert.flightStatus.departureAirportFsCode (alert.flightStatus.departureAirport.fs if using inlined references)
- The arrival airport FS code: alert.flightStatus.arrivalAirportFsCode (alert.flightStatus.arrivalAirport.fs if using inlined references)
- The event type: alert.event.type
- The event time: alert.event.dateTimeRecorded
- Cirium-Flex-Alert-Hash - The sha512 HMAC hex encoded hash.
- Example: bec05d9c9f5e7a28d37c5ea2326c6b4634c1717b6c512793cc6960282c02051abca41e807ae18abe1839b9c30a11def09c21068b66b1193513aaa5696637a738
If you wish to confirm the POST is from Cirium, you can create the same key out of the alert fields and, using your appKey, create the same hash code. The receiver can then compare your computed key/hash with Cirium-Flex-Alert-Key/Hash. Since the appKey, which only Cirium and you know, is used as the secret in the hash creation, you can be assured the POST is from Cirium and not someone attempting to spoof an alert callback. The sha512 HMAC encoding is not reversible and your appKey is a 32 character hex code, making it secure against hacking via the hash.
Here is a sample of Java code that computes the hash:
public static void main(String[] args) throws Exception { String appKey = "fakeAppKey"; String alertKey = "MQ|3424|ORD|CLE|ARRIVAL_DELAY|2020-04-07T16:16:39.388Z"; Mac sha512_HMAC = Mac.getInstance("HmacSHA512"); SecretKeySpec secret_key = new SecretKeySpec(appKey.getBytes(UTF_8), "HmacSHA512"); sha512_HMAC.init(secret_key); String hash = Hex.encodeHexString(sha512_HMAC.doFinal(alertKey.getBytes(UTF_8))); System.out.println(hash); }
Comments
0 comments
Article is closed for comments.