Wayne

My feedback

  1. 216 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    16 comments  ·  Public » Developer Platform  ·  Flag idea as inappropriate…  ·  Admin →
    An error occurred while saving the comment
    Wayne commented  · 

    Incoming Webhooks are almost unusable without any authentication in place. Apparently the whole security relies on keeping the URL secret. This might be enough for sharing pictures in the internet but not for enterprise applications. Please follow the guidelines from other players, e.g., GitHub or Twitter.

    EDIT:
    The official documentation states the following: "Messages are formatted as JSON payloads. This declarative messaging structure prevents the injection of malicious code as there is no code execution on the client."

    That's a false assumption. Please study the CVE databases more closely. There are hundreds of know vulnerabilities and attack vectors based on JSON or similar payloads. The security concept should be fundamentally re-evaluated.

Feedback and Knowledge Base