Why Polling Isn’t Enough
The simplest way to sync two systems is polling — check every 5 minutes for new data. But polling has problems:
- Delay: A customer places an order and waits up to 5 minutes before your CRM knows
- Waste: 95% of polling requests return “nothing new”
- Load: Frequent polling hammers both your store and CRM servers
- Gaps: If a poll fails, you miss everything until the next cycle
For real-time business operations, you need push-based synchronization — data arrives the moment it’s created.
Webhooks: Instant Data Delivery
WooSync uses WooCommerce’s native webhook system. When an event occurs in your store, WooCommerce pushes the data directly to your Perfex CRM:
order.created— New order placedorder.updated— Order status changedproduct.created— New product addedproduct.updated— Product details modifiedcustomer.created— New customer registeredcustomer.updated— Customer profile changed
The data arrives in milliseconds, not minutes. Your CRM is always current.
HMAC-SHA256 Signature Verification
Anyone can send an HTTP POST to your webhook URL. How does WooSync know it’s actually from WooCommerce and not an attacker?
HMAC-SHA256 cryptographic signatures.
Every webhook delivery includes an X-WC-Webhook-Signature header — a hash computed from the payload using your shared secret. WooSync recalculates the hash and compares:
- Match: Request is authentic → process it
- Mismatch: Request is forged → reject it (401)
This is the same verification method used by Stripe, GitHub, and other enterprise APIs. Your webhook endpoint is cryptographically protected.
Queue-Based Processing
Webhook data doesn’t hit your database directly. WooSync uses a queue table (woosync_webhook_queue) with production-grade reliability:
- Deduplication: Each delivery has a unique
delivery_id— the same event is never processed twice - Retry logic: Failed processing attempts are retried up to 3 times
- Status tracking: pending → processing → completed (or failed)
- Locked processing: A
locked_attimestamp prevents concurrent processing of the same item - Error logging: Failed attempts store error messages for debugging
Rate Limiting: 120 Requests/Minute
WooSync includes IP-based rate limiting on the webhook endpoint:
- Maximum 120 requests per minute per IP
- Excess requests are rejected with 429 Too Many Requests
- Rate limit data stored in
woosync_rate_limitstable - Protects your CRM from webhook floods (e.g., bulk updates in WooCommerce)
CSRF Whitelist
Perfex CRM has built-in CSRF protection that blocks external POST requests. WooSync automatically whitelists its webhook endpoint so WooCommerce deliveries pass through without CSRF validation — while keeping all other CRM endpoints protected.
The Complete Security Stack
| Layer | Protection |
|---|---|
| HMAC-SHA256 | Verifies webhook authenticity |
| Rate Limiting | Prevents flood attacks (120/min) |
| CSRF Whitelist | Allows legitimate webhooks through |
| Queue Dedup | Prevents duplicate processing |
| Retry Logic | Handles transient failures |
| AES Encryption | Protects stored API credentials |
Setup: 5 Minutes
Secure. Instant. Reliable.
Leave a Reply