PATTERN Cited by 1 source
Defense in depth for webhook abuse mitigation¶
Pattern¶
When building a webhook-sender service, no single defence is sufficient against all abuse shapes. The canonical shape is a layered composition of orthogonal mitigations, each addressing a distinct attack axis, such that an attacker succeeding at one layer is still stopped at another.
The two primary abuse axes to defend:
- SSRF — attacker coerces the sender to hit internal targets.
- Amplification — attacker uses the sender as a traffic generator to flood a victim URL or exhaust the sender's own resources.
The SSRF layer¶
- URL validation at submission — HTTPS-only + private-IP blocklist + own-domain blocklist + post-DNS-resolution re-check. Fast user feedback; first defensive layer.
- [[patterns/isolated-egress-proxy-for-user-urls| Isolated egress-proxy tier (Envoy)]] — all outbound requests flow through a dedicated proxy that re-enforces rules at send time (after DNS has been re-resolved). Closes the DNS-rebinding check-to-send gap URL validation alone leaves open.
The amplification layer (five defences)¶
From PlanetScale's webhook service in sources/2026-04-21-planetscale-webhook-security-a-hands-on-guide:
-
Global API rate limit. All endpoints carry a rate limit bounding how many actions an attacker can take per time window.
-
Per-endpoint tighter limit on the
testendpoint. The webhook test / trigger endpoint (where the attacker gets the biggest amplification leverage) is capped at 1 request per 20 seconds — much tighter than the global limit. Verbatim rationale: "This felt reasonable for users who are testing their hooks while also eliminating the risk of the test webhook being abused." -
Sidekiq uniqueness on the send queue. Duplicate webhooks enqueued in quick succession collapse to a single send. Verbatim: "Duplicate webhooks in quick succession get rejected, resulting in only a single unique webhook being sent out from our service, as well as limiting the number of webhooks we need to process."
-
Isolated infrastructure for webhook workers. The webhook queue runs on its own Kubernetes machines so abuse is structurally bounded to the webhook tier — blast-radius capping at the Kubernetes-service altitude. Verbatim: "If our webhooks are being abused, we do not want that to impact the reliability of the rest of our systems. They can be easily paused or disabled in the event of an incident."
-
Strict send timeouts. Verbatim framing: "Sending a webhook ties up our resources while waiting for a response. One possible attack vector is queueing many webhooks that resolve very slowly. This can be mitigated by setting a short timeout on webhook requests."
The quota layer¶
- Per-database webhook count cap (5). Initial admission-control limit on how many webhooks a single database may have. Canonical verbatim framing: "Adding more later is always easier than taking it away." Same opt-out-expensive-default discipline as patterns/instant-deploy-opt-in.
Why the composition matters¶
Each layer addresses a failure mode the others don't:
| Layer | Stops |
|---|---|
| URL validation | Naive misuse / typos / obvious SSRF |
| Envoy egress proxy | DNS-rebinding, cloud-metadata access |
| API rate limit | Mass enqueue at the API boundary |
test-endpoint per-second limit |
Abuse concentration on the amplification endpoint |
| Sidekiq uniqueness | Inflight duplicate amplification |
| Isolated workers | Blast radius onto other PlanetScale services |
| Send timeout | Resource exhaustion via slow receivers |
| Per-DB quota | Abuse-fleet construction via one customer |
Stripping any single layer still leaves attackers with a viable shape: stripping URL validation alone is recoverable via the Envoy proxy, but stripping the proxy leaves only the validation (DNS-rebinding defeats it). Stripping the timeout leaves slow-resolve attacks viable. The composition has defense-in-depth property — no single point of catastrophe.
Sibling patterns¶
- patterns/isolated-egress-proxy-for-user-urls — the SSRF-specific leg of this composition.
- patterns/pluggable-durability-rules — same "multiple orthogonal rules, each catches what others miss" shape on the durability axis.
- concepts/blast-radius — the principle making isolation-per-failure-mode valuable.
Seen in¶
- sources/2026-04-21-planetscale-webhook-security-a-hands-on-guide — Canonical pattern disclosure (2023-11-21, Mike Coutermarsh). Five amplification defences + two SSRF defences + one quota gate composed into a single operational posture on PlanetScale's webhook service. Load-bearing architectural quote verbatim: "No matter how rigorous your URL validations are, you cannot fully trust any URL provided by a user. Because of this, it's critical to isolate and limit where the webhooks service can send HTTP requests."