SOLVED

Best way to secure a webhook?

Go to solution
Lexine_Pishue
Level 1

Best way to secure a webhook?

Hi,

I'm currently writing a webhook and want to be conscious of the vulnerabilities that it poses. What are the best pratctices that marketo supports for webhooks? Is there a key I can validate against the rest api, or a list of IPs I can whitelist?

Thanks

Lexine

Tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
SanfordWhiteman
Level 10 - Community Moderator

Re: Best way to secure a webhook?

Webhooks are stateless, so you will always be sending credentials with the webhook request.  On the back end, you can pass those creds to some more complex authorizer, but there is always some decrease in performance as a result.

Typically you send a header with the equivalent of an "API key."  It could either be a true API key that is authorizes against some gateway service (in-between Marketo and your back end) or it could be HTTP Auth sent in an Authorization: header (processed directly by your back end, against a password file, database, etc.).

Make sure you run https​:// on your back end and distribute credentials carefully so they are never shared among apps/clients, allowing credentials to be revoked without side effects.

View solution in original post

2 REPLIES 2
SanfordWhiteman
Level 10 - Community Moderator

Re: Best way to secure a webhook?

Webhooks are stateless, so you will always be sending credentials with the webhook request.  On the back end, you can pass those creds to some more complex authorizer, but there is always some decrease in performance as a result.

Typically you send a header with the equivalent of an "API key."  It could either be a true API key that is authorizes against some gateway service (in-between Marketo and your back end) or it could be HTTP Auth sent in an Authorization: header (processed directly by your back end, against a password file, database, etc.).

Make sure you run https​:// on your back end and distribute credentials carefully so they are never shared among apps/clients, allowing credentials to be revoked without side effects.

Lexine_Pishue
Level 1

Re: Best way to secure a webhook?

Thank you, this was helpful. I've added a key, and confirmed within my org that it is sufficient, security-wise.