Security Best Practices

Webhook Tester is designed with security in mind. This guide covers best practices for keeping your data safe.

Account Security

Strong Passwords

Use strong passwords:

  • ✅ At least 12 characters
  • ✅ Mix of uppercase, lowercase, numbers, symbols
  • ✅ Unique (not reused from other sites)
  • ❌ Common words or phrases
  • ❌ Personal information

Consider using a password manager.

Email Verification

Always verify your email:

  1. Required for account access
  2. Enables password recovery
  3. Confirms account ownership

OAuth Login

For enhanced security, use OAuth providers:

Benefits:

  • No password to remember
  • Two-factor authentication via provider
  • Faster login

Account Lockout

After 5 failed login attempts:

  • Account locked for 30 minutes
  • Prevents brute-force attacks
  • Unlock via password reset

API Key Security

Secure Storage

Never expose API keys:

  • ✅ Environment variables
  • ✅ Secret management systems (AWS Secrets Manager, HashiCorp Vault)
  • ✅ CI/CD secret variables
  • ❌ Git repositories
  • ❌ Client-side JavaScript
  • ❌ Email or chat
  • ❌ Screenshots

Minimal Permissions

Follow principle of least privilege:

  • Read-only keys: For viewing only
  • Write keys: For creating/updating
  • Admin keys: Only when necessary

Key Rotation

Rotate keys regularly:

  • Every 90 days recommended
  • Immediately if compromised
  • Update all integrations after rotation

Key Expiration

Set appropriate expiration:

  • Temporary projects: Days to weeks
  • CI/CD pipelines: 6-12 months
  • Production systems: Maximum security

Webhook Security

Webhook URL Privacy

Treat webhook URLs as sensitive:

  • They’re unique and non-guessable
  • Anyone with the URL can send webhooks
  • Don’t share publicly or commit to repos

Payload Encryption

Enable payload encryption for sensitive data:

  • AES-256-GCM encryption
  • Set ENCRYPTION_KEY in environment
  • View decrypted payloads only in the UI

Verification

Verify webhook authenticity:

  1. Secret tokens: Add secret in query params or headers
  2. Signatures: HMAC verification (provider-dependent)
  3. IP whitelisting: Restrict by source IP

HTTPS Only

All webhooks use HTTPS:

  • Encrypted in transit
  • Certificate validation
  • No HTTP fallback

Data Retention

Webhook data auto-deleted after 30 days:

  • Request headers
  • Request body
  • Metadata

Session Security

Session Management

  • Active sessions: Monitor on Dashboard
  • Revoke unused: Delete sessions when done testing
  • Named sessions: Use descriptive names for tracking

Session Tokens

JWT tokens are:

  • Stored in localStorage (not cookies)
  • Valid for 30 days
  • Revoked on logout

Public Computers

Don’t use “Remember Me” on shared devices:

  • Clear browser data after use
  • Log out explicitly
  • Use incognito mode

Network Security

IP Hashing

IP addresses are SHA-256 hashed:

  • Original IP never stored
  • Hash enables rate limiting
  • Cannot be reversed

Rate Limiting

Automatic rate limiting:

  • Prevents abuse
  • 100 requests/minute per endpoint
  • Protects availability

CORS

Cross-Origin Resource Sharing:

  • Restricted origins
  • Preflight checks
  • Secure headers

Compliance

Data Location

Data stored on Cloudflare:

  • Workers (compute): Edge locations
  • D1 Database: Regional storage
  • KV: Global distribution

Data Processing

We process only:

  • Webhook payloads (temporary)
  • Account data (email, settings)
  • Audit logs (90-day retention)

GDPR/CCPA

User rights:

  • Access your data
  • Delete your account
  • Export your data
  • Rectify inaccuracies

Security Monitoring

Audit Logs

Admin access includes audit logs:

  • Login attempts
  • Key management
  • Account changes
  • 90-day retention

Security Dashboard

Admin-only features:

Anomaly Detection

Automatic detection:

  • Unusual login locations
  • High request volumes
  • Potential abuse patterns

Reporting Issues

Found a security vulnerability?

  1. Don’t open a public issue
  2. Do report privately through the app
  3. Include:
    • Description of vulnerability
    • Steps to reproduce
    • Potential impact

We follow responsible disclosure:

  • Acknowledge within 24 hours
  • Investigate and fix promptly
  • Credit researchers (if desired)

Checklist

Daily security checklist:

  • Use strong, unique passwords
  • Verify email and enable 2FA on OAuth providers
  • Store API keys securely
  • Use minimal required permissions
  • Encrypt sensitive payloads
  • Revoke unused sessions
  • Monitor account activity
  • Keep software updated

Next Steps