29

I'm currently using SendGrid's Inbound Parse Webhook to feed emails to my application. I've been able to get it working by pointing the URL to an endpoint which my application has exposed. SendGrid just sends the email in the form of a JSON format HTTP POST request to this endpoint and I just process each request internally.

My question is, now that I have it working, how do I ensure that only SendGrid can use this endpoint? At the moment, anyone can utilise this HTTP POST endpoint and pretend that an email has been sent to the application.

Can I get SendGrid to send some sort of unique key to identify themselves? Is there a way I can restrict by ip address?

Diskdrive
  • 18,107
  • 27
  • 101
  • 167
  • 5
    Do not restrict by ip address, according to the [docs](http://sendgrid.com/docs/API_Reference/Webhooks/event.html#-Troubleshooting) they keep changing it. – Diogo Gomes Feb 20 '14 at 11:01

2 Answers2

33

There are two ways which you may secure your endpoint. SendGrid's webhooks support basic auth (e.g. https://user:pass@example.com/endpoint). You can also implement a unique key, that you check before acting upon the request (e.g. https://example.com/endpoint?key=123).

The simple answer, however, is anything that you add to the URL can act as unique authentication for SendGrid.

Nick Q.
  • 3,947
  • 2
  • 23
  • 37
  • 5
    Are keys included this way, as params, visible across the network when requests are made? That would make your endpoint vulnerable to anyone who sends a request to this exact path. – Cezar T Sep 13 '18 at 07:17
  • 1
    I'd like to hear any thoughts concerning @CezarT 's comment. What if I lock down the webhook endpoint on my application to only respond to SendGrid's IP address? Would that (plus the random key) be sufficient for securing the endpoint? – trademark Dec 07 '18 at 16:35
  • 4
    The example uses https, as ssl/tls encrypts the whole http layer the GET parameters of the URL are encrypted. Sniffing the network would not make them visible as plain text as long as you only trust valid certifactes. – cyptus Mar 06 '19 at 07:38
  • 1
    Do they not have something built-in? That would have been nice. Similar to this: https://docs.sendgrid.com/for-developers/tracking-events/getting-started-event-webhook-security-features#the-signed-event-webhook – AliAvci Apr 26 '22 at 17:11
0

Sendgrid support suggest using a reverse dns lookup and ensuring that the resulting hostname belongs to sendgrid.net. They apparently have no built in security features for these webhooks.

Sindre
  • 1