Security: Implement webhook signature verification

[coderabbitai]

Description

The webhook endpoints in backend/app/api/webhooks.py don't verify request signatures, allowing anyone to send fake webhook requests.

Vulnerable Endpoints

• POST /webhook/task-update
• POST /webhook/execution-update

Security Risk

Without signature verification:

• Attackers can inject fake task updates
• False execution status can be broadcasted to frontend
• Potential for denial of service attacks
• Data integrity compromised

Implementation Required

1. Add HMAC signature verification using shared secret
2. Validate X-Kestra-Signature header
3. Reject requests with invalid signatures (return 403)
4. Add signature verification middleware
5. Document webhook setup in Kestra

Example Implementation

import hmac
import hashlib

def verify_webhook_signature(body: bytes, signature: str, secret: str) -> bool:
    expected = hmac.new(secret.encode(), body, hashlib.sha256).hexdigest()
    return hmac.compare_digest(expected, signature)

Location

• File: backend/app/api/webhooks.py
• Lines: 24-59
• Introduced in: PR Kestra end to end integration with the frontend and backend #37

Related

• Issue Protect API endpoints with authentication #16 (Authentication)
• Issue Add rate limiting and security headers #24 (Security headers)