Reputation: 18855
SendGrid incoming mail webhook - how do I secure my endpoint
I'm currently using SendGrid's Inbound Parse Webhook to feed emails to my application. I've been able to get it working by pointing the URL to an endpoint which my application has exposed. SendGrid just sends the email in the form of a JSON format HTTP POST request to this endpoint and I just process each request internally.
My question is, now that I have it working, how do I ensure that only SendGrid can use this endpoint? At the moment, anyone can utilise this HTTP POST endpoint and pretend that an email has been sent to the application.
Can I get SendGrid to send some sort of unique key to identify themselves? Is there a way I can restrict by ip address?
Upvotes: 35
Views: 7532
Answers (3)
Reputation: 528
Defence in depth would suggest using several mechanisms together. In addition to having a secret key in the target URL (which is actually no so secret because it can be leaked in server logs of any intermediate servers), you can also perform IP address validation.
We do IP address validation by validating that the IP address belongs to SendGrid's ASN which is AS11377 (publicly available information).
We do this easily without any 3rd-party API calls or databases because we run our frontend on Cloudflare Workers, and Cloudflare makes the ASN information available on all incoming requests (see https://developers.cloudflare.com/workers/runtime-apis/request/#incomingrequestcfproperties). Great!
While neither approach is bulletproof by itself, when combined, it's pretty good defence in depth.
Upvotes: 0
Reputation: 21
Sendgrid support suggest using a reverse dns lookup and ensuring that the resulting hostname belongs to sendgrid.net. They apparently have no built in security features for these webhooks.
Upvotes: 2
Reputation: 3986
There are two ways which you may secure your endpoint. SendGrid's webhooks support basic auth (e.g. https://user:[email protected]/endpoint). You can also implement a unique key, that you check before acting upon the request (e.g. https://example.com/endpoint?key=123).
The simple answer, however, is anything that you add to the URL can act as unique authentication for SendGrid.
Upvotes: 38
Related Questions
- How to associate sendgrid webhook sg_message_id to sent mail?
- Sendgrid Inbound Webhook - Undelivered notification
- How to authenticate Inbound Mail? With SendGrid specifically?
- Sendgrid Inbound Parse Webhook Emails are not received on Sendgrid
- SendGrid event notification authentication
- Configure Alert Mail (SendGrid) in Azure using Webhook
- How to secure event grid subscription webhook
- How to specify the ip address SendGrid uses to send Webhook Events from
- Sending an Email through SendGrid without Authentication
- Unable to send secure emails on Sendgrid using webapi