HookWatch is early, but security is already part of the product design.
Webhook payloads, secrets, and delivery history deserve careful handling. Here is what is actually in place today — described plainly, without compliance theatre.
Workspace isolation
Every endpoint, delivery, secret, and incident is scoped to a workspace. The dashboard forwards your identity to the backend, which re-checks workspace membership on each request — defense in depth, not just a UI filter.
Secrets stay masked
Signing secrets and notification credentials are write-only. The API reports whether a secret is set, never its value, so it cannot leak back through the dashboard.
Notification secrets encrypted at rest
Notification-channel secrets are sealed with an encryption key before they are written to the database, with key rotation supported. With no key configured, secret writes fail closed rather than storing plaintext.
Server-side backend bridge
The browser never calls the product backend directly. Sessions are validated in the SvelteKit server layer, which talks to the Go backend over a trusted internal channel.
Outbound safety protections
Forwarding and alert requests are checked against an SSRF / private-IP policy, and re-checked on the resolved address at connect time — including across redirects — so a destination cannot be pointed at internal services.
Safe error handling
Failures degrade to honest states instead of fabricated data. An unreachable backend shows an error or an empty state — never invented deliveries.
CI, E2E & visual quality gates
Changes ship behind continuous integration with end-to-end and visual-regression tests, so behaviour and UI are checked before release.
What to do on your side.
HookWatch's controls cover its own side of the wire. These are the basics worth doing on yours.
- Verify webhook signatures — reject anything that doesn’t match before you trust the payload.
- Keep target/forwarding URLs private — don’t point a webhook destination at a public, guessable path.
- Rotate signing and notification secrets periodically, and immediately if one may have leaked.
- Monitor failed deliveries — a dropped webhook you never see is worse than one that fails loudly.
The honest list of what we don’t do.
Saying so is part of taking security seriously. These are not in place today, and we won’t imply otherwise.
- No compliance certifications are claimed — no SOC 2, HIPAA, or GDPR claims.
- SSO is planned, not shipped.
- Enterprise controls are planned, not shipped.
- No uptime guarantee during beta.
Try it on a real webhook.
The fastest way to judge the security model is to use it. Free during beta.