What is the best practice to validate that webhook has been sent to my subscription endpoint by azure event grid rather than by other, possibly malicious, service or person.
Asked
Active
Viewed 900 times
1 Answers
2
When you configure webhook URL, you can put a secret token into a query parameter. Then, in your code you can validate this parameter.
For example, for Azure Function webhook, you would use code parameter:
https://myfunctionapp.azurewebsites.net/api/EventGridWebHook1?code=your_functionapp_code
Mikhail Shilkov
- 34,128
- 3
- 68
- 107
-
4I am not sure it is an acceptable solution. Having security code in query parameters or URI is bad practice as it might be easily exposed in logs and such. Also, it is risky if the webhook endpoint is not protected by SSL (https). I have expected something like https://developer.github.com/webhooks/securing/ – sANDwORm Oct 19 '17 at 14:52
-
Those are valid concerns, @sANDwORm. Some thoughts that initially come to mind are: all your public endpoints should be secure (SSL), practice security-in-depth (rotate your keys, validate them on the borders/endpoints, add another layer of security in the payload with the data property). – dbarkol Oct 26 '17 at 21:49