Verify receiving server with certificate pinning

Problem to solve

We want to authenticate the consumer (endpoint) that we send webhook data to.

Proposal

This proposal needs more solution validation and discussion.

We can implement certificate pinning as per this WorkOS article:

Certificate pinning‍

This is the most common way to handle payload security: only send data over HTTPS (this should be obvious by now), and require your consumer to provide the specific certificate they’re using. For example, Twilio won’t send webhook data to HTTPS endpoints with self-signed certificates.

Also see:

• https://cheatsheetseries.owasp.org/cheatsheets/Pinning_Cheat_Sheet.html

Group-level SSOT certificates

We might want to allow customers to define pinned certificate at the group level. This could take the form of a library of pinned certificates.

Group hooks of the group could be verified using any of these, or a specific one.

Child project hooks of the group could be verified using any of these, or a specific one.

This would allow the customer to update one of the pinned certificates in the library once and have all of their hooks verified using this, in the case that webhooks started failing due to a certificate change.

Automatic pinning at point of verifications

We could also pin at the same time as a successful verification https://gitlab.com/gitlab-org/gitlab/-/issues/374688, and then allow people to manually change it later.

Quick disable

We might want to allow customers to quickly disable the pinning check we perform for their hooks if they need to, at various levels:

• Disable per web hook (through the hook settings settings).
• Disable at the project settings level, applies to all of the project hooks.
• Disable at the group settings level, applies to all group hooks and child project hooks.

Integration webhooks

Some integrations use webhooks (the mix in HasWebHook).

We should understand the implications of the feature and how it applies to integration webhooks, and ensure that we do not unintentionally block integrations from firing.

We should discuss how to handle integration webhooks with regard to pinning. For integrations that can only execute webhooks to a server that the customer does not control, people most likely do not want to pin.

Intended users

Feature Usage Metrics

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.