Hey @flaco_jones, this is an excellent question. While that big-secret-string goes SSL-encrypted over the wire, it's true that anyone who manages to get between your SSL offloading layer and your microservice would be able to read it. You have a couple of options for securing this:
-
Setting up the Autotask in such a way that, even if an attacker calls the webhook, the autotask cannot execute anything malicious (eg keeping a whitelist of claimer addresses in the autotasks).
-
Implement an additional authentication layer within your Autotask. The autotask receives the entire http payload (plus a subset of headers) in its invocation, so you could implement your own authentication mechanism on it.
-
Use the
defender-relay-clientas you suggest, since the relayer API uses a secure AWS v4 signature algorithm for authentication. Note that you should only go this way if you're calling the relayer from your own services, and not from a public client where a user could exfiltrate your relayer keys. -
Tell us which authentication mechanism you'd like to see implemented for Autotask Webhooks, so we can add it to our roadmap!