Webhook Security

Introduction to Webhook Security

Webhooks can be secured during setup, runtime, and with compensatory controls:

During Setup

Webhook providers implement security controls during webhook setup to reduce the risk of webhook exploration to obtain confidential data. All webhook services we researched provide authentication and authorization to set up webhooks in their Admin UIs and APIs. Some webhook providers implement an additional one time verification challenge to confirm that the webhook consumer controls the endpoint.

During Runtime

Webhook providers implement security controls on runtime to give consumers ways to validate if notifications are authentic, not tampered with, or replayed.

During our research, we found many different ways that providers provide security during runtime. We broke down each authentication and message security control with some examples, a summary table, and some diagrams:

Compensatory Controls

Webhook listeners can implement compensatory controls — such as IP restrictions and API callbacks to the webhook service — to increase the overall security of webhook communications. We will dive into compensatory controls under Best practices for webhook consumers.

All providers by name