GetHook
Sign inGet started free

Legal

Security

Security is a core design constraint for GetHook, not an afterthought. Below is an overview of the controls we have in place to protect your webhooks and data.

API Key Storage

API keys are hashed with SHA-256 before storage. The plaintext key is shown once at creation and never stored or logged. Only the key prefix (e.g. hk_abc…) is retained for display.

Encryption at Rest

Signing secrets and sensitive destination configuration are encrypted with AES-256-GCM using a 32-byte key derived from the ENCRYPTION_KEY environment variable. Payloads are stored in PostgreSQL with full-disk encryption enabled on the host.

Encryption in Transit

All connections to GetHook use TLS 1.2 or higher. We enforce HTTPS for all production endpoints and HSTS with a 1-year max-age.

HMAC Webhook Signatures

Outbound events are signed with HMAC-SHA256. The signature format (t=<unix>,v1=<hex>) is compatible with the Stripe webhook verification pattern, making integration straightforward for developers.

Inbound Signature Verification

Sources can be configured to verify inbound signatures from providers including Stripe, GitHub, and Shopify. Unverified requests are rejected before any payload is stored.

Tenant Isolation

Every database query is scoped by account_id. There are no shared database rows between tenants. API keys are always validated against the requesting account before any data is returned.

Responsible Disclosure

If you discover a security vulnerability in GetHook, please report it privately to security@gethook.to. We aim to respond within 48 hours and will work with you to understand and resolve the issue before public disclosure. We appreciate responsible researchers and will acknowledge your contribution.

Infrastructure

GetHook runs on managed cloud infrastructure with automated backups, point-in-time recovery, and restricted network access. Production databases are not publicly accessible. Access to production systems is limited to named engineers using SSH keys and multi-factor authentication.

Rate Limiting

The ingest endpoint and management API enforce per-account rate limits to protect against abuse. Excessive requests are rejected with HTTP 429. Limits are documented in the API reference.

Audit Logging

All API calls are logged with account ID, timestamp, method, path, and response status. Delivery attempts record the outcome, HTTP status, and response time for every webhook dispatch. Logs are retained for 90 days.

Dependency Management

We pin all Go module dependencies and run automated dependency scans on every commit. Security patches are applied within 72 hours of a CVE disclosure that affects a direct dependency.