Skip to content

feat(developer-settings): add webhook_headers backend support#116901

Closed
sentry-junior[bot] wants to merge 28 commits into
masterfrom
feat/webhook-headers-backend
Closed

feat(developer-settings): add webhook_headers backend support#116901
sentry-junior[bot] wants to merge 28 commits into
masterfrom
feat/webhook-headers-backend

feat(developer-settings): add webhook_headers backend support

ddb61af
Select commit
Loading
Failed to load commit list.
@sentry/warden / warden: wrdn-authz completed Jun 4, 2026 in 13m 30s

1 issue

wrdn-authz: Found 1 issue (1 high)

High

webhookHeaders (potentially containing auth secrets) returned unconditionally to any authenticated user - `src/sentry/sentry_apps/api/serializers/sentry_app.py:150`

Move webhookHeaders inside the owner-gated block so it is only returned to members of the owning org or elevated users, matching the same protection applied to clientId and clientSecret.

Also found at:

  • src/sentry/sentry_apps/api/serializers/sentry_app.py:49
  • src/sentry/sentry_apps/logic.py:117
  • src/sentry/apidocs/examples/sentry_app_examples.py:108

⏱ 12m 16s · 1.0M in / 30.0k out · $1.84

Annotations

Check failure on line 150 in src/sentry/sentry_apps/api/serializers/sentry_app.py

See this annotation in the file changed.

@sentry-warden sentry-warden / warden: wrdn-authz

webhookHeaders (potentially containing auth secrets) returned unconditionally to any authenticated user 

Move `webhookHeaders` inside the owner-gated block so it is only returned to members of the owning org or elevated users, matching the same protection applied to `clientId` and `clientSecret`.

Check failure on line 49 in src/sentry/sentry_apps/api/serializers/sentry_app.py

See this annotation in the file changed.

@sentry-warden sentry-warden / warden: wrdn-authz

[2SX-LWT] webhookHeaders (potentially containing auth secrets) returned unconditionally to any authenticated user (additional location) 

Move `webhookHeaders` inside the owner-gated block so it is only returned to members of the owning org or elevated users, matching the same protection applied to `clientId` and `clientSecret`.

Check failure on line 117 in src/sentry/sentry_apps/logic.py

See this annotation in the file changed.

@sentry-warden sentry-warden / warden: wrdn-authz

[2SX-LWT] webhookHeaders (potentially containing auth secrets) returned unconditionally to any authenticated user (additional location) 

Move `webhookHeaders` inside the owner-gated block so it is only returned to members of the owning org or elevated users, matching the same protection applied to `clientId` and `clientSecret`.

Check failure on line 108 in src/sentry/apidocs/examples/sentry_app_examples.py

See this annotation in the file changed.

@sentry-warden sentry-warden / warden: wrdn-authz

[2SX-LWT] webhookHeaders (potentially containing auth secrets) returned unconditionally to any authenticated user (additional location) 

Move `webhookHeaders` inside the owner-gated block so it is only returned to members of the owning org or elevated users, matching the same protection applied to `clientId` and `clientSecret`.
View more details on @sentry/warden