Security request validation methods webhook

I have noticed that in the settings of a webhook there are 2 options for the request validation methods.
“Payload Signature Verification” seems to be pretty safe as it uses a secret signature inserted inside the header.
As for the “Secret as a Query Parameter” option, how secure can it be? Is inserting a secret key inside the url as a query parameter, e.g. in the HTTP POST method, highly insecure since it is very easy for a user to read the url and immediately get the secret key written inside it (e quindi superare con facilità la sicurezza della richiesta di validazione del webhook)?
Is it highly inadvisable to use this validation method or is security still guaranteed?

Hi @Andrea,

Its more a question what the calling platform can provide. If the calling platform is a third party where you can’t control headers or calculate signeture providing at least a secret is more secure than not providing anything or running as System.

This is why we have different authentication methods for webhooks as we already discussed (application, script etc…)


1 Like

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.