Octopus Subscription - key/value pair security or variable use

mharrah · 22 July 2021 00:56

When setting up an Subscription WebHook notification, it’s possible to add a key/value pair as a header on the HTTP call. It appears it has to be entered verbatim as a literal and cannot be in any sort of Octopus variable. It also appears that the value is stored in cleartext, and anyone with the SubscriptionView permission will be able to read the value. This makes it insecure for use in supplying an API key, which is the biggest reason I can think of for passing a key/value pair as a header.

Is there something I’m missing? Is there a way to specify the value for a key/value pair in a way that’s at least minimally secure (beyond revoking SubscriptionView privileges from all but administrators)?

Kenneth_Bates · 22 July 2021 01:54

Hi @mharrah,

Thanks for getting in touch! Unfortunately it looks like you’re right that it’s not currently possible, and I can’t think of any way around this other than your suggestion to restrict SubscriptionView from non-admins. I think this is a good idea, so I raised this internally to see if it warrants raising an issue for, and I’ll keep you posted.

Let me know if you have any further questions going forward.

Best regards,

Kenny

system · 22 August 2021 01:55

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.