| title | titleSuffix | description | author | ms.topic | ms.service | ms.subservice | ms.custom | ms.date | ms.author | manager | services | zone_pivot_groups |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
Azure Communication Services Call Automation how-to for securing webhook endpoint |
An Azure Communication Services how-to document |
Provides a how-to guide on securing deliver the delivery of incoming call and callback event |
fanche |
how-to |
azure-communication-services |
call-automation |
devx-track-extended-java, devx-track-js, devx-track-python |
06/19/2023 |
askaur |
visho |
azure-communication-services |
acs-js-csharp-java-python |
Securing the delivery of messages from end to end is crucial for ensuring the confidentiality, integrity, and trustworthiness of sensitive information transmitted between systems. Your ability and willingness to trust information received from a remote system relies on the sender providing their identity. Call Automation has two ways of communicating events that can be secured; the shared IncomingCall event sent by Azure Event Grid, and all other mid-call events sent by the Call Automation platform via webhook.
Azure Communication Services relies on Azure Event Grid subscriptions to deliver the IncomingCall event. You can refer to the Azure Event Grid team for their documentation about how to secure a webhook subscription.
Call Automation events are sent to the webhook callback URI specified when you answer a call, or place a new outbound call. Your callback URI must be a public endpoint with a valid HTTPS certificate, DNS name, and IP address with the correct firewall ports open to enable Call Automation to reach it. This anonymous public webserver could create a security risk if you don't take the necessary steps to secure it from unauthorized access.
A common way you can improve this security is by implementing an API KEY mechanism. Your webserver can generate the key at runtime and provide it in the callback URI as a query parameter when you answer or create a call. Your webserver can verify the key in the webhook callback from Call Automation before allowing access. Some customers require more security measures. In these cases, a perimeter network device may verify the inbound webhook, separate from the webserver or application itself. The API key mechanism alone may not be sufficient.
::: zone pivot="programming-language-csharp" [!INCLUDE Secure webhook endpoint with .NET] ::: zone-end
::: zone pivot="programming-language-java" [!INCLUDE Secure webhook endpoint with Java] ::: zone-end
::: zone pivot="programming-language-javascript" [!INCLUDE Secure webhook endpoint with JavaSript] ::: zone-end
::: zone pivot="programming-language-python" [!INCLUDE Secure webhook endpoint with Python] ::: zone-end
- Learn more about How to control and steer calls with Call Automation.