docs consolidation work
This commit is contained in:
StellaOps Bot
6
docs/modules/notify/security/webhook-ack-hardening.md
Normal file
6
docs/modules/notify/security/webhook-ack-hardening.md
Normal file
@@ -0,0 +1,6 @@
|
||||
# Webhook and ack security (NR6)
|
||||
|
||||
- Webhooks must use HMAC-SHA256 with per-tenant rotating secrets or mTLS/DPoP. `hmac_id` maps to secret material.
|
||||
- Ack URLs carry signed tokens (nonce, audience, tenant_id, delivery_id, expires_at) and are single-use. Reject replay or expired tokens.
|
||||
- Enforce allowlists for domains and paths per tenant; deny wildcards.
|
||||
- Capture failures in observability pipeline and DLQ with redrive after investigation.
|
||||
Reference in New Issue
Block a user