feat(config-api): Blacklist some urls from webhook for security reason

[syntrydy]

---

Description

Currently there is no security in webhook feature.
The following should be check:

1. Perform URL validation(url should be valid url and resolvable).
2. Ensure URL starts with "https://", disallow "file://" and other non-HTTPS schemes.
3. Block typical local IPs: 127.0.x, 192.168.x, 172.x.
4. Prohibit "localhost" and "http://"
5. Require a specific response header for POST requests, unique to the customer.

[433B]

Hello! I'm interested in this topic, could I have it for myself? I have experience in this area

[nynymike]

Sure... why not. I don't think it's a super high priority at Jans. @syntrydy could you explain what you mean by Require a specific response header for POST requests, unique to the customer. Did you have a header in mind?

[syntrydy]

@nynymike

Before the source app sends an HTTP request via the webhook, it hashes the payload (request body) with HMAC using the secret key. The resulting hash is then bundled into the HTTP request as a header, and the entire request (header and body) is sent to the webhook endpoint.

Upon receiving the HTTP request, the destination app hashes the body with the secret key and then compares the result to the hash provided in the header. If the values match, the destination app knows the data is legit and processes it. If the values do not match, the destination app rejects the data and executes whatever code was written for that scenario — perhaps creating a log entry or sending a notification.

[syntrydy]

@433B any update?

[433B]

@433B any update?

@syntrydy Hi, yes, I just need to finalize the mock tests for my implementation and it's done. I wanted to commit my code yesterday, but got an access error with 403 status. Do you know why this happens?