Webhook Security: Best Practices to Secure Your Webhooks

By Karolis Rusenas · Oct 22, 2023

Introduction

Webhooks have become an essential component of modern application integration, allowing systems to communicate and exchange information in real-time. However, ensuring the security of webhooks is crucial to protect against potential vulnerabilities and attacks. In this research report, we will explore the best practices for securing webhooks, including encryption, authentication, message verification, and more. By following these practices, you can enhance the security of your webhook implementation and protect your data from potential threats.

firewall between webhooks and the server

Best Practices for Webhook Security

1. Encrypt Data Sent Through Webhooks

Encrypting data sent through webhooks is a fundamental security measure to protect the confidentiality of the information transmitted. It is recommended to use the secure HTTP protocol, HTTPS, instead of HTTP. HTTPS encrypts all communication between the sender and receiver, making it harder for third parties to intercept and access the data.

2. Sign Webhooks for Authenticity and Integrity

Signing webhooks using a hash-based message authentication code (HMAC) ensures the authenticity and integrity of the messages. HMAC uses a shared secret key between the webhook provider and consumer to create a signature for each message. The consumer can then verify the signature to ensure that the message has not been tampered with during transit.

You can view our example of how to sign and verify webhooks using HMAC here.

3. Authenticate Connections to Verify the Source

Authenticating the source of webhook messages is essential to prevent unauthorized access and ensure that requests are coming from the intended source. One common method is to include an authentication token in the webhook request header. The consumer can check for this token to verify the legitimacy of the payload. Additionally, the consumer can whitelist the IP address of the webhook provider to only accept requests from known sources.

In Webhook Relay you can do this by going to the bucket details and clicking on authentication tab:

webhook token authentication

Alternatively you can select “basic” which means a standard username and password authentication will be applied.

4. Add Timestamps to Prevent Replay Attacks

Adding timestamps to webhook messages helps prevent replay attacks, where an attacker intercepts and resends a legitimate message at a later time. By including a timestamp in the message and verifying it on the consumer side, the consumer can ensure that the message is current and reject any outdated or replayed messages.

Timestamps should be paired with the HMAC check to ensure that the attacker is not just changing the timestamp to a current one.

5. Use Certificate Pinning for Server Authentication

Certificate pinning is a technique used to ensure the authenticity of the server’s certificate during the SSL/TLS handshake. By pinning the server’s certificate in the code, the consumer can verify that the connection is established with the correct server and prevent attacks with fake or compromised certificates.

6. Avoid Sending Sensitive Data Through Webhooks

Webhooks are typically used for sending notifications about events and are not suitable for transmitting highly sensitive data such as passwords or credit card information. It is recommended to avoid sending sensitive data through webhooks and instead use more secure methods like direct API calls with proper authentication and encryption.

A typical workflow here is:

  1. GitHub sends a webhook that a push event has happened to a branch
  2. CI/CD system receives the webhook and starts a build by cloning the repository from the source

In this case, the CI/CD system should not be receiving any sensitive data from the webhook. It should only be receiving the event type and the repository URL. The CI/CD system should then use its own credentials to clone the repository.

7. Implement Logging for Auditing and Monitoring

Implementing logging for all webhook messages sent out is essential for auditing, monitoring, and detecting security incidents. By logging webhook messages, you can keep a record of every message sent and analyze them for any security-related issues or suspicious activities.

When routing webhooks through our platform, you can define either additional outputs (your auditing/logging system) or push webhooks through a function to a data warehouse.

webhook audit log in bigquery

8. Use a Subscription Model with Expiration Dates

Using a subscription model with expiration dates adds an extra layer of security to your webhook implementation. By allowing users to provide an expiration date for their subscription, you can limit the timeframe for potential attacks. Once the subscription expires, the webhook consumer can stop accepting requests from that particular source.

Conclusion

Securing webhooks is crucial to protect against potential vulnerabilities and attacks. By following the best practices outlined in this research report, including encrypting data, signing webhooks, authenticating connections, adding timestamps, using certificate pinning, avoiding sensitive data transmission, implementing logging, and using a subscription model, you can enhance the security of your webhook implementation. It is important to tailor the security measures to the nature of the information being sent and to implement overlapping layers of security for comprehensive protection.

Remember that security is an ongoing process, and it is essential to regularly review and update your security measures to stay ahead of potential threats. By prioritizing webhook security, you can ensure the integrity and confidentiality of your data and maintain the trust of your users.

Webhook Relay’s approach to security

At Webhook Relay all webhooks are encrypted in transit and we provide a number of ways to verify the authenticity of the message. You can monitor, audit and inspect webhook payloads, statuses and your server responses to them. You can use password or HMAC authentication with just a few clicks or implement a custom, provider-specific authentication method with Functions.

References