JIRA Webhook Calls Security

dhara.ghodasara · April 6, 2018, 8:11pm

Hi There ,

We have standalone product which has tight JIRA integration. We are using webhook calls for issue create, update and delete events. So if any issue related event happens on JIRA, then we get notification about it and make necessary change on our side.

Right now issue is, this REST end point which we have used in webhook is not secure. Any one from outside can also call it.

How do we make sure that request is coming from JIRA not from any other source?

FYI - We have customers on Cloud and Server both. ANd whitelisting IPs is not an option for us.

Can anyone provide resolution for this?

Thank You.

daniel · April 6, 2018, 9:31pm

For the Cloud customers - the “easiest” (for them) would be to have an Atlassian Connect app. When they install the app, you’d receive a installation hook with a secret. Then the web hooks that you declare in the app would have a jwt Authorization header on it which you can then decode with the secret. For more about this - see https://developer.atlassian.com/cloud/jira/platform/modules/webhook/ and https://developer.atlassian.com/cloud/jira/platform/authentication-for-apps/

For Server, it gets more complicated… The best way would be to you to create your own p2 app which can handle whichever authentication you want. Failing that, my suggestion would be to embed an authentication token in the url to your system. While it’s a bit “security through obscurity” - it would at least allow you to make it harder for people to impersonate the the jira instance.

moveworkforward · April 11, 2018, 4:59am

You cal also API tokens: https://confluence.atlassian.com/cloud/api-tokens-938839638.html