How to add authentication header in JIRA webhook

Question

I am writing some Java REST APIs which will be invoked from Web Hook configured through JIRA administration console. But, I do not see any way to add authentication header while configuring web hook in JIRA.

Without header, there is security concern in the sense that any one can invoke my Java REST APIs.

Could someone please suggest here how to add custom headers in web hook with possibly some example. I have already gone through Atlassian develper documentations but do not find any solution over there.

Answer 1

Adding a username and password to the Jira Cloud webhook URL e.g.

• http://user:[email protected]

is ignored by Jira Cloud unfortunately. It seems that other Atlassian products do provide the ability to set a header / provide username and password for basic authentication.

Also see:

• https://jira.atlassian.com/browse/JRA-31953
• https://answers.atlassian.com/questions/12270170/where-does-the-webhook-arrive-from.

You basically have two options:

• You can add an API key or some kind of secret to the webhook URL. The disadvantage is that the secret could show up in your web server logs.
• Don't trust the webhook POST body (JSON) and pull the information from the API.

Adding the Atlassian server IPS to a white list would also make sense:

• https://confluence.atlassian.com/cloud/database-and-ip-information-744721662.html#DatabaseandIPinformation-IPAddressrange.

Although it doesn't completely eliminate attack vectors since attacks can also come from another Jira cloud environment.