Skip to content
Security

HookWatch is early, but security is already part of the product design.

Webhook payloads, secrets, and delivery history deserve careful handling. Here is what is actually in place today — described plainly, without compliance theatre.

Workspace isolation

Every endpoint, delivery, secret, and incident is scoped to a workspace. The dashboard forwards your identity to the backend, which re-checks workspace membership on each request — defense in depth, not just a UI filter.

Secrets stay masked

Signing secrets and notification credentials are write-only. The API reports whether a secret is set, never its value, so it cannot leak back through the dashboard.

Notification secrets encrypted at rest

Notification-channel secrets are sealed with an encryption key before they are written to the database, with key rotation supported. With no key configured, secret writes fail closed rather than storing plaintext.

Server-side backend bridge

The browser never calls the product backend directly. Sessions are validated in the SvelteKit server layer, which talks to the Go backend over a trusted internal channel.

Outbound safety protections

Forwarding and alert requests are checked against an SSRF / private-IP policy, and re-checked on the resolved address at connect time — including across redirects — so a destination cannot be pointed at internal services.

Safe error handling

Failures degrade to honest states instead of fabricated data. An unreachable backend shows an error or an empty state — never invented deliveries.

CI, E2E & visual quality gates

Changes ship behind continuous integration with end-to-end and visual-regression tests, so behaviour and UI are checked before release.

Checklist

What to do on your side.

HookWatch's controls cover its own side of the wire. These are the basics worth doing on yours.

  • Verify webhook signatures — reject anything that doesn’t match before you trust the payload.
  • Keep target/forwarding URLs private — don’t point a webhook destination at a public, guessable path.
  • Rotate signing and notification secrets periodically, and immediately if one may have leaked.
  • Monitor failed deliveries — a dropped webhook you never see is worse than one that fails loudly.
What is not claimed yet

The honest list of what we don’t do.

Saying so is part of taking security seriously. These are not in place today, and we won’t imply otherwise.

  • No compliance certifications are claimed — no SOC 2, HIPAA, or GDPR claims.
  • SSO is planned, not shipped.
  • Enterprise controls are planned, not shipped.
  • No uptime guarantee during beta.
Get started

Try it on a real webhook.

The fastest way to judge the security model is to use it. Free during beta.