reneroth
commented
1 month ago Might make things slightly easier in some cases where you have no control over the webhook url, but for now it should be good enough to just register a webhook like this:
https://your-host/switchbot/webhook/[string-with-enough-entropy]
Then use fail2ban or something similar to block all IPs hitting anything at /switchbot/webhook/ that does not match your hardcoded string.
You could also keep track of the webhook attempts and whitelist manually.
That could even be automated on a cronjob by deliberately triggering an action that will cause the webhook to fire, and then adding the IP matching the expected request to the whitelist – but IMO an IP whitelist is already overkill if you're not using switchbot devices to run a nuclear power plant 😁
Current Situation
Webhook requires an endpoint that is accessible from the internet, but there is no way to restrict access, such as through authentication. If an action is taken based on the payload of a received Webhook, it could potentially enable attacks by malicious third parties.
Proposed Change
I would like to request the addition of a signature to the Webhook so that the sender can be verified.
For example, Twilio SendGrid adds a signature and timestamp to the HTTP header of the Webhook, which allows for sender verification and prevents attacks through replay attempts. Twilio SendGrid Webhook Security Features
Additional Context
Other ideas:
These options are less desirable due to maintenance challenges.