Hi,
I am trying to secure my webhooks by implementing the identity confirmation strategies stated on the official documentation ( here. )
According to it, if a signature key is specified, a new header item should popup with a signature and also CRC checks (via HTTP GET) can be performed.
Even though I create the Feature Service (and tried with portal webhooks too) with the signature key value, the headers for the webhook creation response and further triggered events contain a Signaturekey header, but no trace of x-esriHook-Signature.
Besides, my application which is listening for both GET & POSTs to handle the CRC never gets any GET request.
My webhook handler is a flask application configured properly with trusted certificates, available to the AGE machine and ready to handle both POST and GET requests separately (so I can perform CRC on GET and process the webhook payloads from POST).
The webhooks are properly processed if no signature key is set up, so there must be something there I am missing or that does not work as expected.
Could anyone who has set up this correctly provide some advice? I don't see what else one needs to add to the create webhook request besides the signature key parameter.
A few questions? What version of ArcGIS Enterprise are you using? Are you using Organization or Feature Service webhooks?
Some background information: