Securing webhook

10-30-2019 12:42 PM
Esri Contributor

It would seem to me that an integromat webhook (for example) is just open to anyone who knows the URL.  I realize it is typically a fairly obscure URL.  But, is there a way to secure it such that it only accepts info from Survey123 and avoid someone just submitting junk? 

One thought is to look at the headers of the incoming request and filter based on something.  Survey123 IP address?  I saw some other product that allows you to append an additional item to the outgoing message, basically a "Security Key" that you could then filter against on the processing side (e.g. integromat).   Is that something Esri might think about implementing? Letting the user add an extra bit of info on the outgoing message to assure it is a valid message coming in?

Thanks for any thoughts.

Tom S.

4 Replies
Esri Esteemed Contributor

Hi Tom,

As Survey123 uses a client Webhooks, it is not possible to secure based on IP address by default (as submissions could come via the cellular network, a coffee shop's wifi, or a home user's wifi).  If the webhook author is aware of conditions that would restrict the address (such as they know only valid submissions would originate from the organization's internal network), then a restriction based on IP can be put in place.

It is certainly possible for a form submission to have a question answered that a webhook then filters it's processing on, including not processing records that don't meet a condition after the submission has been received.

0 Kudos
Esri Contributor

Thanks James - I was thinking of something that is set at the Survey Item level, that carries with the survey and thus all records submitted through the survey.  Something like an option in the pic below ("Security Key" in picture).  That Security Key would be carried along with the survey and when submitted would show up somewhere (header? submitted data?).  I think it'd be better to put it here than as a question (hidden or otherwise) in a survey.  Just my two cents.

I modeled this idea after what I saw here:  Snapcomms Knowledge Base Portal   - basically they will send the security key with every webhook submission.


New Contributor III

+1 on Webhook security. Maybe basic/digest auth...

0 Kudos
Occasional Contributor

Does filtering based on a predictable answer make a webhook that much more secure, or are there still other vulnerabilities? 

0 Kudos