0

In a c# program I am creating, I am wanting to send the answers people give(the program is a quiz) to a webhook where they can be stored. How do I make it so that if someone opens up the program.cs they can't see what the web hook is? I use base64 in python for this.

TwistedNight
  • 15
  • 1
  • 4
  • 1
    Perhaps you can just use a public URL but pass a secret token in the request header validated by the webhook. Be sure not to hard code the token or store in plain text but store in a file protected by DPAPI. – Brian Habrock Jan 13 '20 at 19:57
  • If they can open up program.cs they can probably debug your code as well and get the value can't they? – Train Jan 13 '20 at 20:33

1 Answers1

1

Well, to start, if you're using Base64 for encryption/obfuscation of some sort, you have a massive security flaw somewhere that requires some urgent attention... the only thing required to read a Base64 encoded string is to decode it.

Second, what you're looking for is what is generally referred to as "app secrets" or "environment variables"; these are values that are typically assigned/initialized at runtime. You should use an app setting of some sort.

But even still, because this is client-side, the URL would not be "obfuscated", if they're able to disassemble the program or application, they will be able to find the secret within the disassembled code.

You could use a non-secret/public URL that then forwards requests to the secret URL (this would be the most secure approach, as it is the only way the client would be unable to get access to the underlying URL without access to the server).

Ultimately, however, if an endpoint is so sensitive that you have to keep it secret, you probably should not be having clients send data directly to it.

gabriel.hayes
  • 2,267
  • 12
  • 15
  • Wouldn't this also be unable to work? Since if the public url forwards to it then they can just use the public url to send requests to the webhook – TwistedNight Jan 14 '20 at 06:37
  • @TwistedNight, yes, of course they can. You must accept the fact that you can't really keep the request secret. A motivated user can always figure out what happens on the client (and consequently replicate what it does). – Peter Jan 14 '20 at 07:03
  • @TwistedNight Not really. I mean, if you're literally just using HTTP semantics to forward the request, sure they will know, HTTP will add headers to indicate it was forwarded from an address to another, if you're piping the request through the service (i.e., you POST to service A, service A POSTs what you POSTed to service B, service B responds to service A, service A responds to you) there's no way to know what service B is without listening to network traffic from service A, which I would say is reasonably secure.. most malicious users will not be close enough to the server to do this. – gabriel.hayes Jan 14 '20 at 15:10