I am planning to use Azure Event Grid as a pub-sub mechanism. We want to use custom webhook as a subscription to Event Grid Topic. While I was able to use validation request successfully, is there any way using which we can implement the authentication and/or DDOS protection for the webhook endpoint being exposed? I came across a query string param solution, but that does not seem very legitimate.
Asked
Active
Viewed 1,211 times
2
-
have you tried product like cloudflare ? – Thomas May 07 '18 at 09:25
1 Answers
1
If you don't want to expose the endpoint you could put something like API Management in front of it. You will have to handle the validation part within the inboud policy, however. Here is an example: https://github.com/dbarkol/EventGrid-API-Management/blob/master/eventgrid-apim-policy.xml
For the custom endpoint, other defensive measures you can take are to:
- Make sure the aeg-event-type value is set to Notification for incoming events.
- Inspect the subscription ID in the payload (reject if it's an unknown sender)
- Continue using a query string parameter and verify on each call.
Query string parameters are secured and never traced.
dbarkol
- 291
- 2
- 7
-
How do you verify query string parameter? How do we ensure both subscriber and publisher know or inform each other about this "key". – whihathac Nov 06 '18 at 01:26
-
If you choose to leverage a query string parameter then it should be considered a shared secret that you use when creating the subscription and also a value that can be retrieved in your handler. How you go about implementing this is up to you. Some ideas could be to include it in key vault (or named values if you are using APIM). – dbarkol Nov 06 '18 at 01:53