title: [Learning Notes] LINE Bot Developer Guide Explained - 2. Notes on Receiving Requests Using Webhook URL
published: false
date: 2021-06-03 00:00:00 UTC
tags:
canonical_url: http://www.evanlin.com/line-bot-guide-2/
---
## Preface:
Hello everyone, I am Evan Lin, a Senior Developer Technology Promotion Engineer at LINE Taiwan. Today's article provides a detailed explanation of the "LINE Bot Developer Guide" slide document. This document is from the [Development guidelines](https://developers.line.biz/en/docs/partner-docs/development-guidelines/) slides. Considering that it has not been officially announced and localized in Chinese in Taiwan. This time, we are collaborating with the headquarters to prepare a Chinese version, and we are also using this series of articles to explain it, hoping to provide more developers with more understanding. The [Development guidelines](https://developers.line.biz/en/docs/partner-docs/development-guidelines/) document has a lot of content, and this slide will also be explained in five articles. This article is the second article, mainly explaining the related precautions for setting up LINE Bot Webhook.
## Article Index:
#### Complete slide link: [https://speakerdeck.com/line\_developers\_tw2/line-bot-developer-guideline-chinese](https://speakerdeck.com/line_developers_tw2/line-bot-developer-guideline-chinese)
I hope you can continue to pay attention:
1. [About LINE Bot](https://www.evanlin.com/2021-05-25-line-bot-guide-1/)
2. Notes on receiving requests using Webhook URL (this article)
3. Notes on sending API requests
4. LINE Login
5. Other related functions
This article will focus on the first section, which is Page 3 ~ Page 8.
## Notes on Receiving Requests Using Webhook URL
<script async="" data-slide="10" data-id="0e9f6182ae864568a5940cbad5ef4bec" data-ratio="1.77777777777778" src="//speakerdeck.com/assets/embed.js"></script>
In this section of notes, there is actually a lot of elaboration in "[Ten Things You Must Know When Developing LINE Chatbots](https://engineering.linecorp.com/zh-hant/blog/line-device-10/)". Here's a brief mention and explanation. The following explains individually according to different pages.
- A Considerations for a secure communication environment
- B When a request is received, reply with status code 200
- C Preventing unauthorized requests from outside LINE
- D Considerations for large-scale message processing
-
### A Considerations for a secure communication environment
<script async="" data-slide="11" data-id="0e9f6182ae864568a5940cbad5ef4bec" data-ratio="1.77777777777778" src="//speakerdeck.com/assets/embed.js"></script>
This part reminds everyone to enhance the security environment of the Webhook server. Here, we also remind everyone that according to the news of 2021/01 ([[Updated] TLS 1.0 and TLS 1.1 support by the webhook notification source will be discontinued at the end of January 2021](https://developers.line.biz/en/news/2020/10/06/update-webhook-client-and-root-certificate/)), if you want to receive LINE platform Webhooks normally, you must make the server support TLS 1.3.
- The platform starts supporting TLS 1.3 [LINE’s APIs now support TLS 1.3](https://developers.line.biz/en/news/2020/07/01/enabled-tls1.3/)
- Will no longer support TLS 1.1 and 1.2 [Updated: TLS 1.0 and TLS 1.1 support by the webhook notification source will be discontinued at the end of January 2021](https://developers.line.biz/en/news/2020/10/06/update-webhook-client-and-root-certificate/)
- The first thing: Correctly set up HTTPS from "[Ten Things You Must Know When Developing LINE Chatbots](https://engineering.linecorp.com/zh-hant/blog/line-device-10/)" also mentions related support, please developers must pay attention.
- When setting up an HTTPS server, the following points must be noted:
- The [root certificate](https://zh.wikipedia.org/zh-tw/%E6%A0%B9%E8%AF%81%E4%B9%A6) ([Root CA](https://en.wikipedia.org/wiki/Root_certificate)) used by the HTTPS server must be in the [whitelist](https://developers.line.me/wp-content/uploads/2017/02/ca_root_v2.txt) of the LINE platform, otherwise the LINE platform will refuse to send messages. Most certificates in the whitelist require a paid application, but the LINE platform also supports commonly used free certificates, such as [Let’s Encrypt](https://letsencrypt.org/).
- Do not use protocols (such as SSL v2 or SSL v3) or Cipher Suites (such as SWEET32 or CVE-2016-2183) that are known to have security vulnerabilities.
- Please be sure to correctly set the [intermediate certificate](https://zh.wikipedia.org/wiki/%E5%85%AC%E9%96%8B%E9%87%91%E9%91%B0%E8%AA%8D%E8%AD%89#.E4.B8.AD.E4.BB.8B.E8.AD.89.E6.9B.B8) ([Intermediate certificate](https://en.wikipedia.org/wiki/Public_key_certificate#Types_of_certificate)) to avoid errors due to failure to map to the root certificate. This is the most common problem report, please pay more attention when setting up the HTTPS server.
For more information, please refer to the following articles:
- [LINE’s APIs now support TLS 1.3](https://developers.line.biz/en/news/2020/07/01/enabled-tls1.3/)
- [Updated: TLS 1.0 and TLS 1.1 support by the webhook notification source will be discontinued at the end of January 2021](https://developers.line.biz/en/news/2020/10/06/update-webhook-client-and-root-certificate/)
- [Ten Things You Must Know When Developing LINE Chatbots](https://engineering.linecorp.com/zh-hant/blog/line-device-10/)
### B When a request is received, reply with status code 200
<script async="" data-slide="12" data-id="0e9f6182ae864568a5940cbad5ef4bec" data-ratio="1.77777777777778" src="//speakerdeck.com/assets/embed.js"></script>
In the article "[Ten Things You Must Know When Developing LINE Chatbots](https://engineering.linecorp.com/zh-hant/blog/line-device-10/)" (Third thing: Reply to the LINE platform with the correct HTTP status code as soon as possible), it is also mentioned that after the LINE platform sends an event message to the developer's Webhook server, if no HTTP status code is received within 1 second, a timeout error will occur, and the LINE platform will close the HTTP connection and consider the transmission result failed; if the transmission fails repeatedly, the LINE platform may block the Webhook server or take other measures, causing the developer's application service to not function properly. Please developers pay attention to the relevant matters.
For more information, please refer to the following articles:
- [Ten Things You Must Know When Developing LINE Chatbots](https://engineering.linecorp.com/zh-hant/blog/line-device-10/)
### C Preventing unauthorized requests from outside LINE
<script async="" data-slide="13" data-id="0e9f6182ae864568a5940cbad5ef4bec" data-ratio="1.77777777777778" src="//speakerdeck.com/assets/embed.js"></script>
In the article "[Ten Things You Must Know When Developing LINE Chatbots](https://engineering.linecorp.com/zh-hant/blog/line-device-10/)" (Second thing: Verify the message source), it is also mentioned that when the developer's [Webhook](https://devdocs.line.me/en/#webhooks) server receives a LINE event message sent in POST mode, it must immediately verify whether the event message is really from the LINE platform to avoid being deceived by forged messages and causing information security crises. The standard verification method is to check the digital signature in the [HTTP request header](http://terms.naer.edu.tw/detail/2377105/). If the HTTP POST message is from the LINE platform, the HTTP request header will definitely include the X-Line-Signature item, and the content value of this item is the digital signature.
For more information, please refer to the following articles:
- [Ten Things You Must Know When Developing LINE Chatbots](https://engineering.linecorp.com/zh-hant/blog/line-device-10/)
### D Considerations for large-scale message processing
<script async="" data-slide="14" data-id="0e9f6182ae864568a5940cbad5ef4bec" data-ratio="1.77777777777778" src="//speakerdeck.com/assets/embed.js"></script>
Here, some experience sharing is provided to developers. According to the development status of the business, the following times will have a large number of messages pouring into the developers' LINE Bot, and I hope the developers may pay attention. (Part of message concentration)
In response to these large numbers of messages that may pour in, it is recommended that developers must have relevant backup plans. Avoid the developer's server being overloaded due to too many messages. The following are recommended:
- Whether there is a horizontal expansion mechanism to face a large number of demands. (Auto-scaling)
- It is recommended to check the reply time after each message, and try to adopt an asynchronous method. Try to reply first, and then send a message to the user. This can avoid getting stuck with too many messages.
In addition, this page of slides also informs several important news:
- Please do not perform stress testing on the GW server. If the development process needs to do stress testing, please do it through other methods. Refer to [Development guidelines](https://developers.line.biz/en/docs/messaging-api/development-guidelines/#prohibiting-mass-requests-to-line-platform).
### E-1 Webhook ON/OFF
<script async="" data-slide="15" data-id="0e9f6182ae864568a5940cbad5ef4bec" data-ratio="1.77777777777778" src="//speakerdeck.com/assets/embed.js"></script>
This mentions the explanation of switching the Webhook switch and "auto-reply messages" and "welcome messages for adding friends". This mainly reminds developers that if you forget to turn off "auto-reply messages", even if you turn on the Webhook switch, although you can receive it, it will still reply through "auto-reply messages". More details will be explained on the next page:
Related information:
- [LINE Official Account Auto-Reply Message Instructions](https://tw.linebiz.com/manual/line-official-account/oa-manager-autoreply)
- [4 Ways to Learn How to Attract Friends to Click on Welcome Messages – LINE Merchants Report – LINE Enterprise](https://www.linebiz-blog.com.tw/4%E6%8B%9B%E5%AD%B8%E6%9C%83%E5%90%B8%E5%BC%95%E5%A5%BD%E5%8F%8B%E6%83%B3%E9%BB%9E%E4%B8%80%E4%B8%8B%E7%9A%84%E6%AD%A1%E8%BF%8E%E8%A8%8A%E6%81%AF/)
### E-2 Webhook ON/OFF option settings (interaction with "auto-reply messages" and "auto-welcome messages")
<script async="" data-slide="16" data-id="0e9f6182ae864568a5940cbad5ef4bec" data-ratio="1.77777777777778" src="//speakerdeck.com/assets/embed.js"></script>
-
**Use** "Webhook], **Use** auto-reply and add friend welcome messages:
- When a message arrives, it will be sent to both Webhook and auto-reply.
- But because auto-reply will reply first, Webhook does not need to reply.
-
**Use** "Webhook], **Do not use** auto-reply and add friend welcome messages:
- It is recommended that developers use this method, completely receiving and sending messages through Webhook.
-
**Do not use** "Webhook], **Use** auto-reply and add friend welcome messages:
- In this way, Webhook will not receive messages, and will completely reply through auto-reply.
-
**Do not use** "Webhook], **Do not use** auto-reply and add friend welcome messages:
- As introduced in the slides, it is currently not open and not recommended for developers to set it up this way.
### F Other notes
<script async="" data-slide="17" data-id="0e9f6182ae864568a5940cbad5ef4bec" data-ratio="1.77777777777778" src="//speakerdeck.com/assets/embed.js"></script>
### F-1. One request contains multiple message formats
In the article "[Ten Things You Must Know When Developing LINE Chatbots](https://engineering.linecorp.com/zh-hant/blog/line-device-10/)" (Fourth thing: The events sent by the LINE platform are an array), there is a clearer explanation, welcome everyone to understand. Because the Messaging API account does not have a large number of event messages coming in, each time the received event has almost only one piece of data, so developers will mistakenly think that each event message only needs to process one piece of data. In fact, the HTTP request body sent by the LINE platform to the Webhook server includes one or more [Webhook event object](https://devdocs.line.me/en/#webhook-event-object) JSON format objects
### F-2. How to map new attributes of Webhook
Here, it is recommended that developers, in terms of attribute judgment, try to treat them as independent individuals, and also have a better way to handle possible new attributes. The recommended method can be to determine through a switch case, only processing the events (events) that are handled, and skipping the others.
Related documents:
- [LINE Dev Doc: Receiving messages (webhooks)](https://developers.line.biz/en/docs/messaging-api/receiving-messages/)
### F-3. About verification in the request title
In the article "[Ten Things You Must Know When Developing LINE Chatbots](https://engineering.linecorp.com/zh-hant/blog/line-device-10/)" (Second thing: Verify the message source), there is a clearer explanation. The article recommends the [verification method](https://devdocs.line.me/en/#signature-validation) as follows:
1. Use the Channel secret as the secret key, use the HMAC-SHA256 algorithm to obtain the [digest](http://terms.naer.edu.tw/detail/2359094/) value of the HTTP request body.
2. Encode the above digest value in Base64, and compare whether the content after encoding is the same as the content value of the X-Line-Signature item; if they are the same, it means that the event message is from the LINE platform, otherwise, reject processing the event message.
Related documents:
- "[Ten Things You Must Know When Developing LINE Chatbots](https://engineering.linecorp.com/zh-hant/blog/line-device-10/)"
## G Recommended request processing steps
<script async="" data-slide="18" data-id="0e9f6182ae864568a5940cbad5ef4bec" data-ratio="1.77777777777778" src="//speakerdeck.com/assets/embed.js"></script>
In the article "[Ten Things You Must Know When Developing LINE Chatbots](https://engineering.linecorp.com/zh-hant/blog/line-device-10/)" (Third thing: Reply to the LINE platform with the correct HTTP status code as soon as possible), only the relevant flow chart is listed here, and more content is welcome for you to check the blog.
## H. Communication errors between GW server -> BOT server
<script async="" data-slide="19" data-id="0e9f6182ae864568a5940cbad5ef4bec" data-ratio="1.77777777777778" src="//speakerdeck.com/assets/embed.js"></script>
### H-1. About Error Notification
This part can refer to the following flow chart:
This describes that if there is a problem with the LINE platform (or if it cannot correctly receive the developer's reply), it will send another email to the developer's mailbox. The content of the relevant emails is as shown in the document.
Refer to the following articles:
- [LINE Dev Doc: Error notification](https://developers.line.biz/en/docs/partner-docs/error-notification/#page-title)
- [LINE Dev Doc: Notification email](https://developers.line.biz/en/docs/partner-docs/error-notification/#mail)
## Conclusion:
The above is the supplement and sharing of the second part of the "LINE Bot Developer Guide". If you want to know more content, you can check the complete slides, or find other articles to understand.
Want to know more about developer activities? Join the "LINE Developer Official Community" official account immediately, and you can receive the first-hand Meetup activities, or push notifications of the latest news related to the developer program. ▼
"LINE Developer Official Community" Official Account ID: @line\_tw\_dev 
Evan Lin
Posted on • Originally published at evanlin.com on
LINE Bot Developer Guide: Important Notes for Receiving Requests via Webhook URL
For further actions, you may consider blocking this person and/or reporting abuse
Top comments (0)