Zero-Trust Webhooks: Receiving Data without Opening a Single Port

# Traditional: Public Port 80/443 (Inbound traffic allowed)
# FetchHook: Outbound HTTPS only (Zero inbound exposure)

curl https://api.fetchhook.app/api/v1/stash_abc123 \
  -H "Authorization: Bearer fh_live_xxx"

#Why are public webhook endpoints a security risk?

Every time you create a public 'Push' endpoint, you create a target for: (1) DDoS attacks flooding your server with fake webhook requests, (2) Parameter injection attempting to exploit parsing vulnerabilities, (3) Brute-force attempts to discover and abuse your endpoints, (4) Port scanning and reconnaissance for broader attacks. Even with signature verification, your server is still physically reachable by anyone on the internet. For AI agents running on local machines or inside private VPCs, this exposure is often unacceptable—especially in regulated industries (finance, healthcare) with strict security requirements.

#What is the attack surface of traditional webhooks?

Traditional webhook endpoints expose: (1) Web server vulnerabilities (nginx/Apache CVEs), (2) Application framework vulnerabilities (Express, Flask, Django), (3) Rate limiting bypass opportunities, (4) Network layer (TCP/IP, TLS) to exploitation, (5) DNS records revealing infrastructure topology. Even a perfectly implemented webhook handler is exposed to zero-day exploits in the underlying stack. In zero-trust architecture, we assume the network is hostile—every exposed port is a liability.

Traditional Push Webhook:
❌ Port 443 publicly accessible
❌ Web server (nginx/Apache) exposed
❌ Application framework exposed
❌ DDoS attack surface
❌ Requires firewall rules, rate limiting, IDS
❌ Vulnerable to zero-days in stack

Zero-Trust Pull (FetchHook):
✓ Zero inbound ports
✓ No web server needed
✓ No application framework exposure
✓ Immune to DDoS (not reachable)
✓ No firewall ingress rules needed
✓ Attack surface = API client (TLS only)

#How does pull-based delivery enforce zero-trust?

With FetchHook, your agent or server makes an outbound-only connection to our API. Your firewall can be configured to block 100% of all incoming traffic—no exceptions. Because your agent is the one initiating the request (authenticated with an API key over TLS 1.3), you maintain full control over the flow of data. The security model inverts: instead of defending against inbound attacks, you simply don't allow inbound connections at all. This is the essence of zero-trust: never trust the network, always verify, and minimize exposure.

#How do I configure my firewall for zero-trust webhooks?

With FetchHook, your firewall rules are radically simplified: Block all inbound traffic (no exceptions), Allow outbound HTTPS (443) to api.fetchhook.app, Optional: Allow outbound to specific service IPs only. That's it. No port forwarding, no NAT configuration, no public IP address needed. Your agent pulls webhooks via outbound HTTPS, processes them locally, and your infrastructure remains completely dark to internet scans.

# Block all inbound traffic (zero-trust)
iptables -P INPUT DROP
iptables -P FORWARD DROP

# Allow outbound traffic
iptables -P OUTPUT ACCEPT

# Allow established connections (for responses)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow loopback (localhost)
iptables -A INPUT -i lo -j ACCEPT

# That's it! No webhook endpoint to expose
# Agent pulls via outbound HTTPS to FetchHook

# Optional: Restrict outbound to FetchHook IPs only
iptables -A OUTPUT -d api.fetchhook.app -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j DROP  # Block other HTTPS

#Can I run webhooks in a private VPC with no internet gateway?

Yes, with a NAT gateway or VPC endpoint. In AWS: Your Lambda/ECS runs in a private subnet with no public IP. A NAT Gateway allows outbound HTTPS (to FetchHook API) but blocks all inbound. Webhooks flow: Stripe → FetchHook (public internet) → Your Lambda pulls via NAT (outbound only). Your application layer never touches the public internet directly. In Google Cloud, use Cloud NAT. In Azure, use Azure NAT Gateway. The pattern is the same: private compute, outbound-only networking, zero inbound exposure.

Internet
   ↓
FetchHook (public, receives webhooks)
   ↓ (stored in mailbox)
   ↑ (Lambda pulls via HTTPS)
NAT Gateway (outbound only)
   ↑
Private Subnet (no public IPs)
   ↑
Lambda Function (your webhook processor)

Inbound traffic: BLOCKED at NAT level
Outbound traffic: Allowed to FetchHook API
Lambda: Unreachable from internet
Result: Zero-trust webhook ingestion

#How do I secure my agent with FetchHook?

• No Ingress: Disable all inbound ports on your firewall/VPC. Configure iptables or cloud security groups to DROP all inbound traffic.
• API Key Security: Use FetchHook's API keys (fh_live_xxx) to authenticate pull requests. Rotate keys regularly. Store in environment variables or secret managers, never in code.
• TLS 1.3: All outbound requests to FetchHook are TLS 1.3 encrypted. No plaintext data in transit.
• Encrypted Buffer: Data is stored in FetchHook's encrypted ephemeral stash (AES-256), ensuring it's never exposed in transit or at rest until you pull it.
• Signature Verification: FetchHook verifies webhook signatures at ingress. Check signature_verified flag to ensure cryptographic authenticity.
• Minimal Attack Surface: Your agent is just an HTTPS client. No web server, no open ports, no network exposure.

#Does this meet compliance requirements (SOC 2, HIPAA, PCI DSS)?

Zero-trust architecture aligns with compliance frameworks: (1) SOC 2: Demonstrates strong access controls and minimal attack surface, (2) HIPAA: Reduces PHI exposure risk by eliminating public endpoints, (3) PCI DSS: Minimizes cardholder data environment (CDE) attack vectors, (4) ISO 27001: Follows principle of least privilege and defense-in-depth. Always consult with your compliance team, but FetchHook's pull model makes audits easier: 'We don't expose any inbound network services' is a strong security posture.

import requests
import os
import logging

# Configure secure logging
logging.basicConfig(level=logging.INFO)

# API key from environment (never hardcode)
API_KEY = os.getenv("FETCHHOOK_API_KEY")
if not API_KEY:
    raise ValueError("FETCHHOOK_API_KEY not set")

def secure_webhook_pull():
    """
    Zero-trust webhook ingestion.
    Outbound HTTPS only, no inbound ports.
    """
    try:
        # Pull via TLS 1.3 (outbound only)
        response = requests.get(
            "https://api.fetchhook.app/api/v1/stash_secure",
            headers={"Authorization": f"Bearer {API_KEY}"},
            timeout=10
        )
        response.raise_for_status()

        events = response.json().get('events', [])

        for event in events:
            # Verify signature (defense-in-depth)
            if not event.get('signature_verified'):
                logging.warning(f"Unverified event rejected: {event['id']}")
                continue

            # Process verified event
            process_secure_event(event['payload'])
            logging.info(f"Processed event: {event['id']}")

    except requests.exceptions.RequestException as e:
        logging.error(f"Pull failed: {e}")

# Run in loop or via scheduler
# No web server needed
# No inbound ports opened
# Perfect zero-trust compliance