Webhook Security Controls
Security controls for webhook delivery covering source verification, access restriction, and component identity.
Capabilities
| Capability | Purpose |
|---|---|
| IP Allowlisting | Restrict accepted delivery sources by network |
| Header Validation | Verify webhook event source authenticity |
| Cryptographic Enrollment | Establish trust between components with cryptographic identity |
| Security Capability Validation | Authoritative reference for all security claims |
| Agent → SaaS mTLS | Required mTLS enforcement for agent communication |
| ZenLock Credential Lifecycle | Secure credential custody and distribution |
| Trust Lab | Deterministic validation scenarios for webhook delivery |
| Security Validation Suite | Adversarial and boundary validation scenarios |
| 2FA/MFA Authentication | V1 prerequisite — app-level 2FA for local/password auth, IdP-delegated MFA for OIDC |
| Security Feature Tiering | Feature availability by plan (V1 / V1.1) |
| Git SDK SSRF Classification | SSRF risk classification for Git provider SDKs |
Security Model
Zen Mesh secures webhook delivery across four boundaries:
| Boundary | Protection |
|---|---|
| Webhook source → Ingester | HTTPS + provider signature verification |
| Ingester ↔ Egress (data plane) | mTLS + SPIFFE/SPIRE + HMAC (mandatory) |
| Agent ↔ SaaS (control plane) | mTLS + HMAC |
| Egress → Customer target | Secure-by-default, customer-configurable |