Security Best Practices
Webhook Tester is designed with security in mind. This guide covers best practices for keeping your data safe.
Account Security
Strong Passwords
Use strong passwords:
- ✅ At least 12 characters
- ✅ Mix of uppercase, lowercase, numbers, symbols
- ✅ Unique (not reused from other sites)
- ❌ Common words or phrases
- ❌ Personal information
Consider using a password manager.
Email Verification
Always verify your email:
- Required for account access
- Enables password recovery
- Confirms account ownership
OAuth Login
For enhanced security, use OAuth providers:
Benefits:
- No password to remember
- Two-factor authentication via provider
- Faster login
Account Lockout
After 5 failed login attempts:
- Account locked for 30 minutes
- Prevents brute-force attacks
- Unlock via password reset
API Key Security
Secure Storage
Never expose API keys:
- ✅ Environment variables
- ✅ Secret management systems (AWS Secrets Manager, HashiCorp Vault)
- ✅ CI/CD secret variables
- ❌ Git repositories
- ❌ Client-side JavaScript
- ❌ Email or chat
- ❌ Screenshots
Minimal Permissions
Follow principle of least privilege:
- Read-only keys: For viewing only
- Write keys: For creating/updating
- Admin keys: Only when necessary
Key Rotation
Rotate keys regularly:
- Every 90 days recommended
- Immediately if compromised
- Update all integrations after rotation
Key Expiration
Set appropriate expiration:
- Temporary projects: Days to weeks
- CI/CD pipelines: 6-12 months
- Production systems: Maximum security
Webhook Security
Webhook URL Privacy
Treat webhook URLs as sensitive:
- They’re unique and non-guessable
- Anyone with the URL can send webhooks
- Don’t share publicly or commit to repos
Payload Encryption
Enable payload encryption for sensitive data:
- AES-256-GCM encryption
- Set
ENCRYPTION_KEYin environment - View decrypted payloads only in the UI
Verification
Verify webhook authenticity:
- Secret tokens: Add secret in query params or headers
- Signatures: HMAC verification (provider-dependent)
- IP whitelisting: Restrict by source IP
HTTPS Only
All webhooks use HTTPS:
- Encrypted in transit
- Certificate validation
- No HTTP fallback
Data Retention
Webhook data auto-deleted after 30 days:
- Request headers
- Request body
- Metadata
Session Security
Session Management
- Active sessions: Monitor on Dashboard
- Revoke unused: Delete sessions when done testing
- Named sessions: Use descriptive names for tracking
Session Tokens
JWT tokens are:
- Stored in localStorage (not cookies)
- Valid for 30 days
- Revoked on logout
Public Computers
Don’t use “Remember Me” on shared devices:
- Clear browser data after use
- Log out explicitly
- Use incognito mode
Network Security
IP Hashing
IP addresses are SHA-256 hashed:
- Original IP never stored
- Hash enables rate limiting
- Cannot be reversed
Rate Limiting
Automatic rate limiting:
- Prevents abuse
- 100 requests/minute per endpoint
- Protects availability
CORS
Cross-Origin Resource Sharing:
- Restricted origins
- Preflight checks
- Secure headers
Compliance
Data Location
Data stored on Cloudflare:
- Workers (compute): Edge locations
- D1 Database: Regional storage
- KV: Global distribution
Data Processing
We process only:
- Webhook payloads (temporary)
- Account data (email, settings)
- Audit logs (90-day retention)
GDPR/CCPA
User rights:
- Access your data
- Delete your account
- Export your data
- Rectify inaccuracies
Security Monitoring
Audit Logs
Admin access includes audit logs:
- Login attempts
- Key management
- Account changes
- 90-day retention
Security Dashboard
Admin-only features:
- Security monitoring
- Failed login tracking
- Account lockout status
- Audit trail
Anomaly Detection
Automatic detection:
- Unusual login locations
- High request volumes
- Potential abuse patterns
Reporting Issues
Found a security vulnerability?
- Don’t open a public issue
- Do report privately through the app
- Include:
- Description of vulnerability
- Steps to reproduce
- Potential impact
We follow responsible disclosure:
- Acknowledge within 24 hours
- Investigate and fix promptly
- Credit researchers (if desired)
Checklist
Daily security checklist:
- Use strong, unique passwords
- Verify email and enable 2FA on OAuth providers
- Store API keys securely
- Use minimal required permissions
- Encrypt sensitive payloads
- Revoke unused sessions
- Monitor account activity
- Keep software updated
Next Steps
- Troubleshooting - Common issues
- API Keys - Programmatic access
- Getting Started - Basic usage