Skip to content

Provide signatures for webhook alerts #1555

New issue
New issue
Open
Open
Provide signatures for webhook alerts#1555
Labels
enhancementNew feature or requestgood first issueGood for newcomersp2Non-critical bugs, and features that help organizations to identify and reduce risksize/SSmall effort
@nscuro

Description

@nscuro
nscuro
opened on Apr 21, 2022

Current Behavior:

Alerts / notifications sent via Webhook are neither authenticated nor signed in any way.
This makes it hard for receiving parties to verify whether a given notification was sent by DT.

Proposed Behavior:

For the Webhook alert type, allow for an optional shared secret to be provided.
Before sending the webhook request, calculate an HMAC for the JSON payload, and include the resulting value in a request header (e.g. X-Webhook-Signature).

For reference, this is also how GitHub is doing it: https://docs.github.com/en/developers/webhooks-and-events/webhooks/securing-your-webhooks

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestgood first issueGood for newcomersp2Non-critical bugs, and features that help organizations to identify and reduce risksize/SSmall effort

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions