How is a slack webhook safe?

About

Asked 7/9, 2020 at 9:27 Answered 7/9, 2020 at 9:33

Solved security webhooks slack slack-api

I'm setting up slack alerts on a project I'm working on. To use slack's Incoming web hook, all you have to do is do a POST request to a slack url. I don't see any security on it. How is this secure? Wouldn't someone be able to post messages if he gets hold of this url, given that the url is public even in https connections ?

Pugliese answered 7/9, 2020 at 9:27 Comment(0)

The docs you linked say:

Keep it secret, keep it safe. Your webhook URL contains a secret. Don't share it online, including via public version control repositories. Slack actively searches out and revokes leaked secrets.

That is, you should keep the webhook URL as secret as any secret (database passwords, ...) in your app.

Boudoir answered 7/9, 2020 at 9:33 Comment(2)

Okay, makes sense..though there's the question of the secret (the url) being routed through public internet. It's like your password being part of a url's path param..what are your thoughts on this? – Pugliese 7/9, 2020 at 9:58

The main issue with placing secrets in paths or query parameters is that they tend to stick around in access logs. Other than that, my thoughts here are "HTTPS". No router or proxy on the public internet will be able to decipher the TLS session without consent. – Boudoir 7/9, 2020 at 11:6

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags