Exposing Webhooks endpoint to Internet (Cloudflare Tunnels with Authentication and Mobile App)

Hey, I’ve set up Cloudflare Tunnels with extra authentication for remote access to an HASS instance, but the extra layer is causing issues with mobile app updates - webhooks don’t connect in the background or something similar.

I’ve seen advice to unrestrict the webhooks endpoint and remove the extra authentication layer for the /api/webhooks/*. (or only for each mobile app) (Source)

Is this safe? I am at the understanding that the webhooks endpoint is POST/“input” only.

HTTPS is in place and enforced.

Thank you!

Bumping, hope someone is able to provide some insight.

I’ve seen people use Webhook Relay to achieve remote access - It seems to only have HTTPS as it’s security feature so I’m starting to think it should be safe?

The answer is … it depends.

If your webhooks are nice long random things then the odds of somebody brute forcing them is low.

If you’re using the payload and doing something based on that payload then what you do, and how you do it matters. Blindly using unsanitized input is traditionally a great way of allowing others to run code on your system. The odds of that happening with HA are low, unless you’re passing things to a shell command.

Hi Tinkerer
That’s a good explanation of the situation, thank you. I understand it better now.

To confirm, Was I correct in assuming Webhooks are Input only?

I think to minimise the risk, maybe I’ll work out the specific endpoint URL for each app instance. The specific endpoint ID will only change if the app resets, I think, so that will be the least risky option.

From zacwest on Discord:

webhooks are all post: iOS/Sources/Shared/API/Webhook/Networking/WebhookManager.swift at 8b736fd4505ab533e0fdaf8bbf238b3adfe10f7e · home-assistant/iOS · GitHub

(in the context of the mobile app)

Webhooks are no longer all POST

Webhooks are how you send data to HA, so yes.

Great, thanks.

I’ve edited my prior comment to clarify that only mobile app webhooks are guaranteed to be POST