Verify Slack Requests in Rails

Slack signs its requests so you can verify they’re authentic.

Here’s a method you can use in your Rails controllers for it.

def request_verified?
  timestamp = request.headers["X-Slack-Request-Timestamp"]
  signature = request.headers["X-Slack-Signature"]
  signing_secret = ENV.fetch("SLACK_SIGNING_SECRET")

  if < 5.minutes.ago
    return false # expired

  basestring = "v0:#{timestamp}:#{}"
  my_signature = "v0=#{OpenSSL::HMAC.hexdigest("SHA256", signing_secret, basestring)}"

  ActiveSupport::SecurityUtils.secure_compare(my_signature, signature)


Published September 14, 2018

You might also enjoy

Adding CSP to Rails

Package Your JavaScript Libraries With Rollup

Security Checks

All code examples are public domain.
Use them however you’d like (licensed under CC0).