Hacker News new | ask | show | jobs
by elithrar 1284 days ago
I would strongly recommend against using IP ACLs to "... verify the source IP of the request to prevent acknowledging webhooks from unknown and potentially malicious servers."

You should validate that the request is signed correctly, and reject it if not. An IP ACL can be a useful "remove some of the noise" tool, but no more than that.

For example, Discord's webhook implementation has you verify the incoming request against an app-specific (your app; not all apps) public key: https://discord.com/developers/docs/interactions/receiving-a... — this is really the right approach to this.
2 comments
subomi 1284 days ago
Convoy author here.

We also provide Signature verification. Static IPs are added security mechanisms for webhook consumers with strict network access rules.

link
devingoldfish 1284 days ago
> You should validate that the request is signed correctly

I agree with you here, but wondering what you see the benefit of per-app PKI is, versus signing all webhooks with the same cert. Is it to prevent having to do a key rotation that would impact every webhook consumer?

link
subomi 1284 days ago
If you specify one public key for all endpoints, It means all consumers can verify each other’s webhook data which is not what you want. You want each consumer to be able to verify only webhooks intended for them and fail otherwise.

We wrote a detailed guide on generating and rolling public key/secrets for your endpoints here [1]

[1] https://getconvoy.io/blog/generating-stripe-like-webhook-sig...

link