CatchHook|Docs
Back to AppStart Free Trial
Navigation
HomeGetting StartedEndpointsIngress EventsForwardingTunneling & CLIAlertsNotification ChannelsCustom DomainsOutbound WebhooksWorkspacesTeamsAPI ReferenceBilling & PlansAccount SettingsSecurity & Privacy

Security & Privacy

CatchHook is designed to handle sensitive webhook data responsibly. This page covers the security measures in place to protect your data.

Encryption at rest (Pro and Business)

Enable encryption on any endpoint to encrypt the request body, headers, and source IP at rest. When encryption is enabled:

  • Data is encrypted before being written to the database.
  • It's decrypted on the fly when you view it in the UI or access it via the API.
  • Encryption keys are managed by the server and rotated regularly.

Enable encryption in the endpoint's Settings tab.

Sensitive header masking

Certain headers are automatically masked in the UI to prevent accidental exposure:

  • Authorization
  • X-Api-Key
  • X-Api-Secret
  • Other common secret headers

The full values are still stored (encrypted if endpoint encryption is on) and available when replaying or forwarding requests.

Inbound signature verification (webhook endpoints)

Webhook endpoints can be configured with provider signing secrets (GitHub, Stripe, Shopify, Twilio). CatchHook verifies signatures on ingest and stores per-request status:

  • verified
  • failed
  • missing_signature
  • not_configured

Verification is passive in v1: requests are still captured even when verification fails, so you can inspect and debug delivery issues safely.

Email authentication (email endpoints)

For email endpoints, CatchHook relies on AWS SES for transport-level email authentication. Each inbound email includes verification results for:

  • SPF — verifies the sending server is authorized for the sender's domain
  • DKIM — verifies the email content wasn't tampered with in transit
  • DMARC — verifies domain policy alignment for SPF/DKIM
  • Spam verdict — AWS SES spam scoring
  • Virus verdict — AWS SES virus scanning

These results are displayed on each email event's detail page and included in the normalized JSON payload when forwarding or replaying.

SNS signature verification

Inbound email delivery from AWS SES arrives via SNS (Simple Notification Service) HTTPS notifications. CatchHook verifies the cryptographic signature on every SNS message — including subscription confirmations and notifications — to ensure messages genuinely originate from AWS and haven't been tampered with. Invalid signatures are rejected.

Email HTML sanitization

When displaying HTML email bodies, CatchHook renders them in a sandboxed iframe with:

  • A restrictive Content Security Policy (default-src 'none')
  • src and href attributes stripped from HTML to prevent external resource loads
  • referrerpolicy="no-referrer" and sandbox="" attributes to prevent IP leakage
  • SES transport headers (x-ses-*, return-path, received) filtered from display

Email header filtering

Email event headers are filtered before display and forwarding:

  • SES transport headers are excluded (configurable via email_ingress.header_exclude_patterns)
  • Sensitive header values are masked using the same DisplayRedactor as webhook events

SSRF protection

When you replay a request or send a test request, CatchHook blocks requests to:

  • Private IP addresses (10.x.x.x, 172.16–31.x.x, 192.168.x.x)
  • Loopback addresses (127.0.0.1, ::1)
  • Link-local addresses

This prevents server-side request forgery (SSRF) attacks. The same protections apply to notification channel webhook URLs.

Payload size limits

Incoming webhook payloads are limited to 10 MB. Requests exceeding this limit are rejected.

Rate limits

Rate limits protect against abuse and ensure fair usage:

Action Limit
Account registration 5 per hour
Temporary endpoint creation 5 per hour
Test requests (temporary endpoints) 20 per hour
Webhook reception (temporary endpoints) 50 per hour per endpoint
Webhook reception (permanent endpoints) 100 per hour per endpoint
Inbound email reception Rate-limited by SNS TopicArn (not by IP, since AWS SNS shares IPs across customers)
Tunnel connect (authenticated) 30 per 60 seconds
Tunnel connect (anonymous) 10 per 60 seconds
Request deletion 20 per hour

When rate-limited, you'll receive an HTTP 429 Too Many Requests response with a retry_after value.

Authentication

User authentication

  • Email and password with secure hashing (minimum 8 characters).
  • OAuth via Google and GitHub.
  • Session-based authentication with secure cookies.
  • Account lockout — 10 failed login attempts locks the account for 15 minutes.
  • Session timeout — inactive sessions expire after 2 hours.

API authentication

  • Bearer token authentication for all API endpoints.
  • Tokens are scoped (read, tunnel) to limit access.
  • CLI tokens expire after 30 days.
  • Tokens can be revoked instantly from Account Settings.

Data retention

Webhook requests are automatically purged after your plan's retention period:

Plan Retention
Pro 60 days
Business 180 days

Deleted data cannot be recovered.

Multi-tenancy

CatchHook uses strict tenant isolation. Each account's data is scoped so that users can only access endpoints, requests, and settings belonging to their own account. Team-scoped endpoints add an additional layer of access control within an account.