Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security on POST /api/bc-webhook #340

Open
andlrutt opened this issue Apr 24, 2024 · 0 comments
Open

Security on POST /api/bc-webhook #340

andlrutt opened this issue Apr 24, 2024 · 0 comments
Assignees
@zaviermiller
Labels
Background Checks Tech Debt
Milestone
backlog

Comments

@andlrutt
Copy link
Member

andlrutt commented Apr 24, 2024
edited
Loading

Description

Currently SpringVerify hits a webhook api when the background check is finished. This works, but anyone can currently call this endpoint without authorization. Theoretically someone could approve their own background check. Can we lock this down?

Technical Details

  • Investigate options and report to team for approval. Potential solutions:
    • Some unique identifier only SpringVerify has
    • Whitelisting static IPs
  • Implement solution
  • end to end test (work with Zavier)
    • Attempt to hit api manually without authorization

Dependencies
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zaviermiller zaviermiller

Labels
Background Checks Tech Debt
Projects
None yet
Milestone
backlog
Development

No branches or pull requests
2 participants
@zaviermiller @andlrutt