# OpenAPI Webhooks { #openapi-webhooks }

There are cases where you want to tell your API **users** that your app could call *their* app (sending a request) with some data, normally to **notify** of some type of **event**.

This means that instead of the normal process of your users sending requests to your API, it's **your API** (or your app) that could **send requests to their system** (to their API, their app).

This is normally called a **webhook**.

      </searchConfiguration>

  @CanIgnoreReturnValue // to skip some bytes
  @Override
  short readShort();

  @CanIgnoreReturnValue // to skip some bytes
  @Override
  int readUnsignedShort();

  @CanIgnoreReturnValue // to skip some bytes
  @Override
  char readChar();

  @CanIgnoreReturnValue // to skip some bytes
  @Override
  int readInt();

  @CanIgnoreReturnValue // to skip some bytes
  @Override
  long readLong();

#### The time to answer helps the attackers { #the-time-to-answer-helps-the-attackers }

At that point, by noticing that the server took some microseconds longer to send the "Incorrect username or password" response, the attackers will know that they got _something_ right, some of the initial letters were right.

## Overriding dependencies during testing { #overriding-dependencies-during-testing }

There are some scenarios where you might want to override a dependency during testing.

You don't want the original dependency to run (nor any of the sub-dependencies it might have).

        netdfs.DfsInfo1 info1 = new netdfs.DfsInfo1();
        info1.entry_path = "test_path";

        ByteArrayOutputStream bos = new ByteArrayOutputStream();
        // Create buffer for encoding - initially allocate some space
        byte[] encodeBuffer = new byte[1024];
        NdrBuffer dst = new NdrBuffer(encodeBuffer, 0);
        info1.encode(dst);

        ByteArrayInputStream bis = new ByteArrayInputStream(bos.toByteArray());

</div>

## Forbid Extra Headers { #forbid-extra-headers }

In some special use cases (probably not very common), you might want to **restrict** the headers that you want to receive.

You can use Pydantic's model configuration to `forbid` any `extra` fields:

{* ../../docs_src/header_param_models/tutorial002_an_py310.py hl[10] *}

If a client tries to send some **extra headers**, they will receive an **error** response.

   *
   * @return the next two bytes of the input stream, interpreted as an unsigned 16-bit integer in
   *     little-endian byte order
   * @throws IOException if an I/O error occurs
   */
  @CanIgnoreReturnValue // to skip some bytes
  @Override
  public int readUnsignedShort() throws IOException {
    byte b1 = readAndCheckByte();
    byte b2 = readAndCheckByte();

    return Ints.fromBytes((byte) 0, (byte) 0, b2, b1);
  }

In this case, it would be better to get **one extra server** and run some processes on it so that they all have **enough RAM and CPU time**.

# Advanced Security { #advanced-security }

## Additional Features { #additional-features }

There are some extra features to handle security apart from the ones covered in the [Tutorial - User Guide: Security](../../tutorial/security/index.md){.internal-link target=_blank}.

/// tip

The next sections are **not necessarily "advanced"**.

And it's possible that for your use case, the solution is in one of them.

///