7 lines
444 B
Markdown
7 lines
444 B
Markdown
# Webhook and ack security (NR6)
|
|
|
|
- Webhooks must use HMAC-SHA256 with per-tenant rotating secrets or mTLS/DPoP. `hmac_id` maps to secret material.
|
|
- Ack URLs carry signed tokens (nonce, audience, tenant_id, delivery_id, expires_at) and are single-use. Reject replay or expired tokens.
|
|
- Enforce allowlists for domains and paths per tenant; deny wildcards.
|
|
- Capture failures in observability pipeline and DLQ with redrive after investigation.
|