https://community.esri.com/t5/arcgis-survey123-questions/securing-webhook/m-p/772396#M4166 <HTML><HEAD></HEAD><BODY><P>Hi Tom,</P><SPAN> </SPAN><P></P><SPAN> </SPAN><P>As Survey123 uses a client Webhooks, it is not possible to secure based on IP address by default (as submissions could come via the cellular network, a coffee shop's wifi, or a home user's wifi). &nbsp;If the webhook author is aware of conditions that would restrict the address (such as they know only valid submissions would originate from the organization's internal network), then a restriction based on IP can be put in place.</P><SPAN> </SPAN><P></P><SPAN> </SPAN><P>It is certainly possible for a form submission to have a question answered that a webhook then filters it's processing on, including not processing records that don't meet a condition after the submission has been received.</P></BODY></HTML> Fri, 01 Nov 2019 19:44:45 GMT JamesTedrick 2019-11-01T19:44:45Z https://community.esri.com/t5/arcgis-survey123-questions/securing-webhook/m-p/772395#M4165 <HTML><HEAD></HEAD><BODY><P>It would seem to me that an integromat webhook (for example) is just open to anyone who knows the URL.&nbsp; I realize it is typically a fairly obscure URL.&nbsp; But, is there a way to secure it such that it only accepts info from Survey123 and avoid someone just submitting junk?&nbsp; </P><SPAN> </SPAN><P></P><SPAN> </SPAN><P>One thought is to look at the headers of the incoming request and filter based on something.&nbsp; Survey123 IP address?&nbsp; I saw some other product that allows you to append an additional item to the outgoing message, basically a "Security Key" that you could then filter against on the processing side (e.g. integromat).&nbsp;&nbsp; Is that something Esri might think about implementing? Letting the user add an extra bit of info on the outgoing message to assure it is a valid message coming in?</P><SPAN> </SPAN><P></P><SPAN> </SPAN><P>Thanks for any thoughts.</P><SPAN> </SPAN><P></P><SPAN> </SPAN><P>Tom S.</P></BODY></HTML> Wed, 30 Oct 2019 19:42:40 GMT https://community.esri.com/t5/arcgis-survey123-questions/securing-webhook/m-p/772395#M4165 TomSchwartzman 2019-10-30T19:42:40Z https://community.esri.com/t5/arcgis-survey123-questions/securing-webhook/m-p/772396#M4166 <HTML><HEAD></HEAD><BODY><P>Hi Tom,</P><SPAN> </SPAN><P></P><SPAN> </SPAN><P>As Survey123 uses a client Webhooks, it is not possible to secure based on IP address by default (as submissions could come via the cellular network, a coffee shop's wifi, or a home user's wifi). &nbsp;If the webhook author is aware of conditions that would restrict the address (such as they know only valid submissions would originate from the organization's internal network), then a restriction based on IP can be put in place.</P><SPAN> </SPAN><P></P><SPAN> </SPAN><P>It is certainly possible for a form submission to have a question answered that a webhook then filters it's processing on, including not processing records that don't meet a condition after the submission has been received.</P></BODY></HTML> Fri, 01 Nov 2019 19:44:45 GMT https://community.esri.com/t5/arcgis-survey123-questions/securing-webhook/m-p/772396#M4166 JamesTedrick 2019-11-01T19:44:45Z https://community.esri.com/t5/arcgis-survey123-questions/securing-webhook/m-p/772397#M4167 <HTML><HEAD></HEAD><BODY><P>Thanks James - I was thinking of something that is set at the Survey Item level, that carries with the survey and thus all records submitted through the survey.&nbsp; Something like an option in the pic below ("Security Key" in picture).&nbsp; That Security Key would be carried along with the survey and when submitted would show up somewhere (header? submitted data?).&nbsp; I think it'd be better to put it here than as a question (hidden or otherwise) in a survey.&nbsp; Just my two cents.</P><SPAN> </SPAN><P></P><SPAN> </SPAN><P><IMG class="image-1 jive-image" src="https://community.esri.com/legacyfs/online/471609_pastedImage_1.png" /></P><SPAN> </SPAN><P></P><SPAN> </SPAN><P>I modeled this idea after what I saw here:&nbsp;&nbsp;<A class="link-titled" href="https://support.snapcomms.com/s/article/webhook---integration" title="https://support.snapcomms.com/s/article/webhook---integration">Snapcomms Knowledge Base Portal</A>&nbsp; &nbsp;- basically they will send the security key with every webhook submission.</P><SPAN> </SPAN><P></P><SPAN> </SPAN><P>Tom</P></BODY></HTML> Fri, 01 Nov 2019 19:56:15 GMT https://community.esri.com/t5/arcgis-survey123-questions/securing-webhook/m-p/772397#M4167 TomSchwartzman 2019-11-01T19:56:15Z https://community.esri.com/t5/arcgis-survey123-questions/securing-webhook/m-p/772398#M4168 <HTML><HEAD></HEAD><BODY><P>+1 on Webhook security.&nbsp;Maybe&nbsp;basic/digest auth...</P></BODY></HTML> Fri, 07 Feb 2020 19:33:27 GMT https://community.esri.com/t5/arcgis-survey123-questions/securing-webhook/m-p/772398#M4168 OlegKachirski 2020-02-07T19:33:27Z https://community.esri.com/t5/arcgis-survey123-questions/securing-webhook/m-p/1207886#M44561 <P>Does filtering based on a predictable answer make a webhook that much more secure, or are there still other vulnerabilities?&nbsp;</P> Tue, 30 Aug 2022 19:58:14 GMT https://community.esri.com/t5/arcgis-survey123-questions/securing-webhook/m-p/1207886#M44561 TanGnar 2022-08-30T19:58:14Z