Webhook Security Controls
Security controls for webhook delivery covering source verification, access restriction, and component identity.
Capabilities
| Capability | Purpose |
|---|---|
| IP Allowlisting | Restrict accepted delivery sources by network |
| Header Validation | Verify webhook event source authenticity |
| Cryptographic Enrollment | Establish trust between components with cryptographic identity |
| Security Capability Validation | Authoritative reference for all security claims |
| Agent → SaaS mTLS | Required mTLS enforcement for agent communication |
| ZenLock Credential Lifecycle | Secure credential custody and distribution |
Security Model
Zen Mesh secures webhook delivery across four boundaries:
| Boundary | Protection |
|---|---|
| Webhook source → Ingester | HTTPS + provider signature verification |
| Ingester ↔ Egress (data plane) | mTLS + SPIFFE/SPIRE + HMAC (mandatory) |
| Agent ↔ SaaS (control plane) | mTLS + HMAC |
| Egress → Customer target | Secure-by-default, customer-configurable |