Securing webhooks¶
If not used carefully, webhooks can create security vulnerabilities in your Django application.
At minimum, you should use SSL and a shared authorization secret for your Anymail webhooks. (Really, for any webhooks.)
Use SSL¶
Your Django site must use SSL, and the webhook URLs you give your ESP should start with “https” (not http).
Without https, the data your ESP sends your webhooks is exposed in transit. This can include your customers’ email addresses, the contents of messages you receive through your ESP, the shared secret used to authorize calls to your webhooks (described in the next section), and other data you’d probably like to keep private.
Configuring SSL is beyond the scope of Anymail, but there are many good tutorials on the web.
If you aren’t able to use https on your Django site, then you should not set up your ESP’s webhooks.
Signed webhooks¶
Some ESPs implement webhook signing, which is another method of verifying the webhook data came from your ESP. Anymail will verify these signatures for ESPs that support them. See the docs for your specific ESP for more details and configuration that may be required.
Even with signed webhooks, it doesn’t hurt to also use a shared secret.
Additional steps¶
Webhooks aren’t unique to Anymail or to ESPs. They’re used for many different types of inter-site communication, and you can find additional recommendations for improving webhook security on the web.
For example, you might consider:
- Tracking
event_id
, to avoid accidental double-processing of the same events (or replay attacks) - Checking the webhook’s
timestamp
is reasonably close the current time - Configuring your firewall to reject webhook calls that come from somewhere other than your ESP’s documented IP addresses (if your ESP provides this information)
But you should start with using SSL and a random shared secret via HTTP auth.