You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'd like to propose adding HMAC SHA256 request signing to the Alertmanager HTTP client for outgoing webhooks. This would help ensure message authenticity.
Proposed Solution
It seems there is no standard for HMAC request signing and different services implement it in slightly different ways. Some sign only the request body, while others include headers, the request path, or query parameters.
I've looked into some of the existing implementations (Slack, Docusign, Azure) and followed an approach similar to Slack:
The signature is generated using only the request body.
A timestamp can be included to mitigate replay attacks, but it's optional.
Header names are configurable.
I’ve prepared a PR that adds this via an optional custom RoundTripper, so we can see how it'd look like:
Hi,
I'd like to propose adding HMAC SHA256 request signing to the Alertmanager HTTP client for outgoing webhooks. This would help ensure message authenticity.
Proposed Solution
It seems there is no standard for HMAC request signing and different services implement it in slightly different ways. Some sign only the request body, while others include headers, the request path, or query parameters.
I've looked into some of the existing implementations (Slack, Docusign, Azure) and followed an approach similar to Slack:
I’ve prepared a PR that adds this via an optional custom RoundTripper, so we can see how it'd look like:
prometheus/common#758
What do you think?
The text was updated successfully, but these errors were encountered: