Octopus Subscription - key/value pair security or variable use

mharrah · July 22, 2021, 12:56am

When setting up an Subscription WebHook notification, it’s possible to add a key/value pair as a header on the HTTP call. It appears it has to be entered verbatim as a literal and cannot be in any sort of Octopus variable. It also appears that the value is stored in cleartext, and anyone with the SubscriptionView permission will be able to read the value. This makes it insecure for use in supplying an API key, which is the biggest reason I can think of for passing a key/value pair as a header.

Is there something I’m missing? Is there a way to specify the value for a key/value pair in a way that’s at least minimally secure (beyond revoking SubscriptionView privileges from all but administrators)?

Kenneth_Bates · July 22, 2021, 1:54am

Hi @mharrah,

Thanks for getting in touch! Unfortunately it looks like you’re right that it’s not currently possible, and I can’t think of any way around this other than your suggestion to restrict SubscriptionView from non-admins. I think this is a good idea, so I raised this internally to see if it warrants raising an issue for, and I’ll keep you posted.

Let me know if you have any further questions going forward.

Best regards,

Kenny

system · August 22, 2021, 1:55am

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.