An error occurred while saving the commentWayne commented
Incoming Webhooks are almost unusable without any authentication in place. Apparently the whole security relies on keeping the URL secret. This might be enough for sharing pictures in the internet but not for enterprise applications. Please follow the guidelines from other players, e.g., GitHub or Twitter.
The official documentation states the following: "Messages are formatted as JSON payloads. This declarative messaging structure prevents the injection of malicious code as there is no code execution on the client."
That's a false assumption. Please study the CVE databases more closely. There are hundreds of know vulnerabilities and attack vectors based on JSON or similar payloads. The security concept should be fundamentally re-evaluated.