Header Validation
Header validation is used by components that receive incoming messages to verify the authenticity and authorization of those messages. This includes webhook sources that accept HTTP events from external systems, Kafka sources that validate Kafka message headers, and SSE sinks that receive HTTP requests.
Components Using Header Validation
| Component | Purpose |
|---|---|
| Source webhook | Validate incoming webhook events from CI/CD systems, GitHub, GitLab, etc. |
| Source Kafka | Validate incoming Kafka message headers for authentication and authorization |
| Sink SSE | Validate incoming HTTP requests to SSE endpoints |
Validation Process
When a request arrives, each configured header rule is evaluated:
- All rules must pass for the request to be accepted
- Any rule failure results in request rejection (401/403 response)
- Missing headers are treated as validation failures
Header Rule Types
Pattern Matching
Validate headers against regex patterns:
toml
[sources.webhook.extractor.headers]
"Authorization" = { type = "matches", pattern = "^Bearer [A-Za-z0-9\\\\-_]+$" }Exact Matching
Require exact header values:
toml
[sources.webhook.extractor.headers]
"Content-Type" = { type = "equals", value = "application/json", case_sensitive = false }Header Existence
Simply require that a header is present:
toml
[sources.webhook.extractor.headers]
"X-Request-ID" = { type = "exists" }Environment Secrets
Compare against values from environment variables:
toml
[sources.webhook.extractor.headers]
"X-API-Key" = { type = "secret", value = "EXPECTED_API_KEY" }HMAC Signature Verification
Verify cryptographic signatures to ensure request authenticity:
toml
[sources.webhook.extractor.headers]
"X-Hub-Signature-256" = { type = "signature", token = "webhook-secret", signature_prefix = "sha256=", signature_on = "body", signature_encoding = "hex" }Signature Parameters
token(string): Secret key for HMAC computationsignature_prefix(string, optional): Prefix added to signature (e.g., "sha256=")signature_on(string): What to sign - "body" or "headers_then_body"signature_encoding(string): Encoding format - "hex" or "base64"token_encoding(string, optional): How to decode the token - "hex", "base64", or unset
Common Validation Patterns
GitHub Webhook Validation
toml
[sources.github_webhook.extractor]
type = "webhook"
id = "github"
# GitHub signature validation
[sources.github_webhook.extractor.headers]
"X-Hub-Signature-256" = { type = "signature", token = "GITHUB_WEBHOOK_SECRET", signature_prefix = "sha256=", signature_on = "body", signature_encoding = "hex" }GitLab Token Validation
toml
[sources.gitlab_webhook.extractor]
type = "webhook"
id = "gitlab"
# GitLab token validation
[sources.gitlab_webhook.extractor.headers]
"X-Gitlab-Token" = { type = "secret", value = "GITLAB_WEBHOOK_TOKEN" }API Key + Content Type Validation
toml
[sources.secure_api.extractor]
type = "webhook"
id = "api"
[sources.secure_api.extractor.headers]
"X-API-Key" = { type = "secret", value = "API_SECRET_KEY" }
"Content-Type" = { type = "equals", value = "application/json", case_sensitive = false }Custom Signature Validation
toml
[sources.custom_webhook.extractor]
type = "webhook"
id = "custom"
# Custom signature format
[sources.custom_webhook.extractor.headers]
"X-Custom-Signature" = { type = "signature", token = "CUSTOM_SECRET", signature_prefix = "custom=", signature_on = "body", signature_encoding = "base64" }Multi-Header Validation
Configure multiple validation rules for comprehensive security:
toml
[sources.enterprise.extractor]
type = "webhook"
id = "enterprise"
[sources.enterprise.extractor.headers]
"X-API-Key" = { type = "secret", value = "ENTERPRISE_API_KEY" }
"Content-Type" = { type = "equals", value = "application/json", case_sensitive = false }
"User-Agent" = { type = "matches", pattern = "^MyApp/[0-9]+\\.[0-9]+.*" }Security Best Practices
HTTPS Only
Always use HTTPS for webhook endpoints
Rate Limiting
Consider implementing rate limiting for webhook endpoints (configured outside cdviz-collector):
nginx
# Example nginx rate limiting
location /webhook/ {
limit_req zone=webhook burst=10 nodelay;
proxy_pass http://cdviz-collector:8080;
}Testing Header Validation
Test Valid Requests
bash
# Test valid authentication
curl -X POST http://localhost:8080/webhook/test \
-H "Content-Type: application/json" \
-H "X-API-Key: my-secret-key" \
-d '{"test": "data"}'Test Invalid Requests
bash
# Test missing header (should return 401)
curl -X POST http://localhost:8080/webhook/test \
-H "Content-Type: application/json" \
-d '{"test": "data"}'
# Test wrong API key (should return 403)
curl -X POST http://localhost:8080/webhook/test \
-H "Content-Type: application/json" \
-H "X-API-Key: wrong-key" \
-d '{"test": "data"}'
# Test invalid content type (should return 400/403)
curl -X POST http://localhost:8080/webhook/test \
-H "Content-Type: text/plain" \
-H "X-API-Key: my-secret-key" \
-d '{"test": "data"}'Debug Validation Issues
Enable debug logging to see header processing:
bash
RUST_LOG=cdviz_collector::security=debug cdviz-collector connect --config config.tomlResponse Codes
Header validation affects HTTP response codes:
| Code | Condition |
|---|---|
| 200/201 | All header rules passed |
| 400 Bad Request | Malformed headers or content |
| 401 Unauthorized | Missing required headers |
| 403 Forbidden | Header validation failed |