Securing webooks

Francisco_R — Thu, 26 Oct 2023 10:06:56 GMT

Hi,

I am trying to secure my webhooks by implementing the identity confirmation strategies stated on the official documentation ( here. )

According to it, if a signature key is specified, a new header item should popup with a signature and also CRC checks (via HTTP GET) can be performed.

Even though I create the Feature Service (and tried with portal webhooks too) with the signature key value, the headers for the webhook creation response and further triggered events contain a Signaturekey header, but no trace of x-esriHook-Signature.

Besides, my application which is listening for both GET & POSTs to handle the CRC never gets any GET request.

My webhook handler is a flask application configured properly with trusted certificates, available to the AGE machine and ready to handle both POST and GET requests separately (so I can perform CRC on GET and process the webhook payloads from POST).

The webhooks are properly processed if no signature key is set up, so there must be something there I am missing or that does not work as expected.

Could anyone who has set up this correctly provide some advice? I don't see what else one needs to add to the create webhook request besides the signature key parameter.

Re: Securing webooks

KevinHibma — Tue, 14 Nov 2023 14:56:12 GMT

A few questions? What version of ArcGIS Enterprise are you using? Are you using Organization or Feature Service webhooks?

Some background information:

Organization webhooks do not use the challenge/hash method as referenced in the help link. They use a straight keyword which is included in the payload that the receiver can use to decide if the payload is trustworthy.
Enterprise Feature Service webhooks made use of the same pattern as the Org webhooks in 11.0 (Beta) and 11.1. That is, the keyword sent in the payload. Beginning at 11.2 (just released), the Enterprise Feature Service webhooks were updated to match Online Feature Service security model, sending a signature hash in the header based on a given keyword/payload itself. This update matches the security model your referenced in the doc. For Enterprise Feature Service webhooks, you can see the doc note here indicating this change happened in 11.2: https://developers.arcgis.com/rest/enterprise-administration/server/create-webhook.htm
As you said you're using Flask (Python), if you want some code that does the CRC/Hash/Signature workflow, you can see the code I have here: https://github.com/Esri/webhooks-samples/blob/master/Developer/azure/function.python/Hook/__init__.py and https://github.com/Esri/webhooks-samples/blob/master/Developer/azure/function.python/Hook/hash_check.py - This code was developed for Online Feature Service webhooks, but you pull the functions out, putting them into Flask and applying them to Enterprise 11.2 Feature Service webhooks

topic Re: Securing webooks in ArcGIS Enterprise Questions

Securing webooks

Re: Securing webooks