Please stop exposing API keys to all admins in webhooks pages [Update: It's a different key!]

Respondida

2 Comentários

  • Comentário oficial
    Chris Sos
    Zendesk Product Manager

    Hi CJ,

    Thanks for your post. This article on our developer documentation may assist understanding the purpose of the signing secret: Verifying webhook authenticity

    The TL;DR is that this key is used by Zendesk to sign each individual webhook request. The receiving server can validate the signature in the header to verify that the request indeed came from Zendesk. It can also be used to prevent replay attacks against your server if your request is somehow hijacked.

    This secret key is not a credential and we do not recommend using it as such, it is provided for users who would like an extra layer of security and validation on requests. For authentication, we recommend utilising the authentication methods provided on the webhook (Basic Auth or Bearer token at this time).

    Hope this helps!

    Chris

  • CJ

    Oh thank GOODNESS. I didn't look super closely, and the labeling is very vague. 
    Shots below are not my prod account info, I wanted to make super sure on my d3v instance. 

    I went ahead and made a new API token and new webhook. 

    You can see that it really looks like you are showing the "secret key" for the Authentication in the view: 

    I assumed that the key being hidden was the token I literally entered in for basic auth via token,  one step earlier in making the webhook. The help text, "verify that your webhook data is coming from Zendesk", even fits the misunderstanding of what this field is,  I'm doing a PUT/POST, so I'm pushing the data, that would be me and my zendesk credentials that are being checked, right? (Wrong!) 

    I'm VERY glad that this is not showing the API tokens. 

    However,  I still feel this is pretty undesirable/not super secure, as your own documentation has the following to say about it: 

    Note: The secret key should be treated like any other credential and should not be committed to code or exposed publicly.

    0

Por favor, entrar para comentar.

Powered by Zendesk