Threat model
STRIDE overview
| Category | Risk | Mitigation |
| Spoofing | forged webhook | X-Gitlab-Token + bcrypt verification |
| Tampering | manipulated session/tokens | signed cookies, constant-time comparisons |
| Repudiation | insufficient auditability | structured logs + correlation IDs |
| Information disclosure | sensitive data leak | security headers, limited endpoint exposure |
| DoS | webhook/API flooding | rate limiting + queue backpressure controls |
| Elevation of privilege | unauthorized admin access | RBAC dependency checks |
Critical flows
sequenceDiagram
participant A as Attacker
participant API as API
participant SEC as Security checks
A->>API: POST webhook without valid token
API->>SEC: verify X-Gitlab-Token
SEC-->>API: reject
API-->>A: 401/403
Risks to monitor
- repeated 401/403 attempts on sensitive endpoints
- sudden rise in
rq_queue_depth - elevated
5xx and webhook processing error rates - long-running worker failure alerts
Minimum incident response
- identify impacted endpoints and time window
- correlate metrics + logs + traces via
correlation_id - if credentials leak is suspected, rotate tokens immediately
- restore service and document postmortem