Community

Securing webhook

961
4
10-30-2019 12:42 PM
TomSchwartzman
by Esri Contributor
Esri Contributor
‎10-30-2019 12:42 PM

It would seem to me that an integromat webhook (for example) is just open to anyone who knows the URL.  I realize it is typically a fairly obscure URL.  But, is there a way to secure it such that it only accepts info from Survey123 and avoid someone just submitting junk? 

One thought is to look at the headers of the incoming request and filter based on something.  Survey123 IP address?  I saw some other product that allows you to append an additional item to the outgoing message, basically a "Security Key" that you could then filter against on the processing side (e.g. integromat).   Is that something Esri might think about implementing? Letting the user add an extra bit of info on the outgoing message to assure it is a valid message coming in?

Thanks for any thoughts.

Tom S.

4 Replies
JamesTedrick
by Esri Esteemed Contributor
Esri Esteemed Contributor
‎11-01-2019 12:44 PM

Hi Tom,

As Survey123 uses a client Webhooks, it is not possible to secure based on IP address by default (as submissions could come via the cellular network, a coffee shop's wifi, or a home user's wifi).  If the webhook author is aware of conditions that would restrict the address (such as they know only valid submissions would originate from the organization's internal network), then a restriction based on IP can be put in place.

It is certainly possible for a form submission to have a question answered that a webhook then filters it's processing on, including not processing records that don't meet a condition after the submission has been received.

0 Kudos
TomSchwartzman
by Esri Contributor
Esri Contributor
‎11-01-2019 12:56 PM

Thanks James - I was thinking of something that is set at the Survey Item level, that carries with the survey and thus all records submitted through the survey.  Something like an option in the pic below ("Security Key" in picture).  That Security Key would be carried along with the survey and when submitted would show up somewhere (header? submitted data?).  I think it'd be better to put it here than as a question (hidden or otherwise) in a survey.  Just my two cents.

I modeled this idea after what I saw here:  Snapcomms Knowledge Base Portal   - basically they will send the security key with every webhook submission.

Tom

OlegKachirski
by
New Contributor III
‎02-07-2020 11:33 AM

+1 on Webhook security. Maybe basic/digest auth...

0 Kudos
TanGnar
by
Occasional Contributor
‎08-30-2022 12:58 PM

Does filtering based on a predictable answer make a webhook that much more secure, or are there still other vulnerabilities? 

0 Kudos