topic Webhooks security in Workato Pros Discussion Board

Webhooks security

cpatel — Mon, 14 Mar 2022 23:47:29 GMT

Are there any posts/documents/guides on how we can secure the data being sent by other systems to webhooks.

I am trying to configure webhook and listen to trigger from sailpoint and using this: https://docs.workato.com/connectors/workato-webhooks but I do not see how the data being sent from sailpoint to workato would be protected. Any information on how to protect the transportation of data?

Re: Webhooks security

jblanchett — Mon, 14 Mar 2022 23:51:48 GMT

If the webhook provider provides a form of signature, like HMAC signature, you can create a callable recipe to confirm the signature before processing the webhook. Otherwise, you may want to look into using API endpoints and use API authentication and/or IP whitelisting

Re: Webhooks security

jblanchett — Tue, 15 Mar 2022 00:01:35 GMT

If the webhook doesn't contain anything sensitve, and it just triggers you to go do something, like download a report, then that's fine you don't really need to authenticate the webhook in anyway. Just don't send any requests to a URL provided by the webhook. Use the parameters and such, but don't use the entire URL as it may be a bad one.

Re: Webhooks security

cpatel — Tue, 15 Mar 2022 00:08:04 GMT

Webhook provider has quite limited capabilites but I was thinking of using api end points but again there are limitations of what authentication options available on sailpoint side. I just wanted to know how others are handling it and looks like they don't protect what's not important and use some methods if protection needed.

Some kind of response from community is really helpful to confirm my own understanding which I get from workato documentation , specially in this remote world.