Webhook security? #9354
Comments
|
For additional reference, GitHub themselves have HMAC-digest-based webhook payload verification: https://docs.github.com/en/webhooks/using-webhooks/validating-webhook-deliveries I believe Meta Webhooks are the same mechanism, as are countless other platforms that offer Webhook functionality. Perhaps good to align with this practice unless I'm blind and have overlooked something? |
|
This is a known missing feature, see #4732 Currently the only option is to use a webhook url that is not guessable, e.g. by using a random string in the url or as a query parameter. Not ideal, but slightly better than just using a url like /webhook/chatwoot |
|
Querystring key passing: I've used exactly that in my project. Thanks for mentioning that as an expected mitigation! |
Describe the bug
Hi, thanks for creating this great project. I'm setting up webhooks for ChatWoot and I'm hitting a wall on best practices for securing the Inbox webhook endpoint. I have a VPS set up to listen at the webhook URL but I want to secure it. Is there a way to lock this down so I can tell which requests to the webhook are genuine?
Have searched the documentation and codebase but only finding mentions of
api_access_tokennothing about securing the webhook. Am I missing something obvious here?To Reproduce
Expected behavior
For other platforms that offer webhook functionality there's usually something like a header which is sent with a predefined key. Or a header with a hash of the payload using a signing key.
Environment
app.chatwoot.com
Cloud Provider
None
Platform
None
Operating system
No response
Browser and version
No response
Docker (if applicable)
No response
Additional context
No response
The text was updated successfully, but these errors were encountered: