Webhooks can be secured during setup, runtime, and with compensatory controls:
Webhook providers implement security controls during webhook setup to reduce the risk of webhook exploration to obtain confidential data. All webhook services we researched provide authentication and authorization to set up webhooks in their Admin UIs and APIs. Some webhook providers implement an additional one time verification challenge to confirm that the webhook consumer controls the endpoint.
Webhook providers implement security controls on runtime to give consumers ways to validate if notifications are authentic, not tampered with, or replayed.
During our research, we found many different ways that providers provide security during runtime. We broke down each authentication and message security control with some examples, a summary table, and some diagrams:
- Shared Secrets, Basic Authentication, Bearer Tokens, and Verification tokens
- Hash-based Message Authentication Code (HMAC)
- Asymmetric Key Signatures
- JWTs, JWKs, and OAuth 2.0
- Mutual TLS Authentication (mTLS)
- Replay Prevention
Webhook listeners can implement compensatory controls — such as IP restrictions and API callbacks to the webhook service — to increase the overall security of webhook communications. We will dive into compensatory controls under Best practices for webhook consumers.