CatchHook|Docs
Back to AppStart Free Trial
Navigation
HomeGetting StartedEndpointsWebhook RequestsForwardingTunneling & CLIAlertsNotification ChannelsTeamsAPI ReferenceBilling & PlansAccount SettingsSecurity & Privacy

Security & Privacy

CatchHook is designed to handle sensitive webhook data responsibly. This page covers the security measures in place to protect your data.

Encryption at rest (Pro and Business)

Enable encryption on any endpoint to encrypt the request body, headers, and source IP at rest. When encryption is enabled:

  • Data is encrypted before being written to the database.
  • It's decrypted on the fly when you view it in the UI or access it via the API.
  • Encryption keys are managed by the server and rotated regularly.

Enable encryption in the endpoint's Settings tab.

Sensitive header masking

Certain headers are automatically masked in the UI to prevent accidental exposure:

  • Authorization
  • X-Api-Key
  • X-Api-Secret
  • Other common secret headers

The full values are still stored (encrypted if endpoint encryption is on) and available when replaying or forwarding requests.

Inbound signature verification

Endpoints can be configured with provider signing secrets (GitHub, Stripe, Shopify, Twilio). CatchHook verifies signatures on ingest and stores per-request status:

  • verified
  • failed
  • missing_signature
  • not_configured

Verification is passive in v1: requests are still captured even when verification fails, so you can inspect and debug delivery issues safely.

SSRF protection

When you replay a request or send a test request, CatchHook blocks requests to:

  • Private IP addresses (10.x.x.x, 172.16–31.x.x, 192.168.x.x)
  • Loopback addresses (127.0.0.1, ::1)
  • Link-local addresses

This prevents server-side request forgery (SSRF) attacks. The same protections apply to notification channel webhook URLs.

Payload size limits

Incoming webhook payloads are limited to 10 MB. Requests exceeding this limit are rejected.

Rate limits

Rate limits protect against abuse and ensure fair usage:

Action Limit
Account registration 5 per hour
Temporary endpoint creation 5 per hour
Test requests (temporary endpoints) 20 per hour
Webhook reception (temporary endpoints) 50 per hour per endpoint
Webhook reception (permanent endpoints) 100 per hour per endpoint
Tunnel connect (authenticated) 30 per 60 seconds
Tunnel connect (anonymous) 10 per 60 seconds
Request deletion 20 per hour

When rate-limited, you'll receive an HTTP 429 Too Many Requests response with a retry_after value.

Authentication

User authentication

  • Email and password with secure hashing (minimum 8 characters).
  • OAuth via Google and GitHub.
  • Session-based authentication with secure cookies.
  • Account lockout — 10 failed login attempts locks the account for 15 minutes.
  • Session timeout — inactive sessions expire after 2 hours.

API authentication

  • Bearer token authentication for all API endpoints.
  • Tokens are scoped (read, tunnel) to limit access.
  • CLI tokens expire after 30 days.
  • Tokens can be revoked instantly from Account Settings.

Data retention

Webhook requests are automatically purged after your plan's retention period:

Plan Retention
Pro 60 days
Business 180 days

Deleted data cannot be recovered.

Multi-tenancy

CatchHook uses strict tenant isolation. Each account's data is scoped so that users can only access endpoints, requests, and settings belonging to their own account. Team-scoped endpoints add an additional layer of access control within an account.