Security question/ask. We recently started using ...
# pulumi-cloud
Security question/ask. We recently started using the webhook feature (love it). We use the slack integration - can you please not display the slack URL after its configured? (i.e. make it write-once only) Since the slack URL is https encoded with a secret, any user of the Pulumi organization can read it now and spoof messages. (low risk since this is just pulumi updates, but just a best practice) In the image below you can see the full URL:
this is good feedback Sam, I’ll share it with the team
FWIW Slack doesn’t do a great job at explaining maybe if some part of the URL can be revealed for matching purposes and any other part should be redacted but 🤷
ChatGPT says its the last part that is the secret :-))))
Maybe just mask it then