You might think that using the team secret in the webhook URL poses a security threat, e.g. because 'somebody' might listen to the web traffic. The same might apply for the team email address which includes the team secret.
Here is why this is not the case:
HTTP comes on top or inside a TLS encrypted communication session. You won’t be easily able to ‘listen’ to this traffic and see the plain URL that a POST or GET is sent to. Of course, the SIGNL4 webhook URL needs to be kept confidentially, that is correct. It is expected that it is only stored/used in systems which in itself have identity management and access control.
The same applies to your SIGNL4 team email. Secure mail servers start any SMTP communication via STARTTLS. Nobody would be able to sniff target addresses here.
As long as you do not disclose your team secrets yourself, it will be no problem.
An alternative of course, can be the use of our REST API, where you pass an API key in the header. This might feel more secure. However, security is based on TLS not on the location of any API key or content within the payload or header.
More reading: https://security.stackexchange.com/questions/118975/is-it-safe-to-include-an-api-key-in-a-requests-url
Please sign in to leave a comment.