> ## Documentation Index
> Fetch the complete documentation index at: https://docs.boble.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Security model

> How Boble protects webhook deliveries, and what you should do on your side.

This page lists what Boble enforces on every delivery and a few habits worth adopting on your receiver.

## What Boble enforces

### HTTPS only

`http://` URLs are rejected when you register them, and again at delivery time. Only `https://` endpoints are accepted.

### Private networks are blocked

When you configure the URL, Boble rejects hosts that look like local or private network addresses (`localhost`, `127.0.0.0/8`, `10.0.0.0/8`, `172.16-31`, `192.168.0.0/16`, `169.254.0.0/16`, and IPv6 link-local / ULA). This protects against accidentally pointing a webhook at an internal service.

### 10-second timeout

If your endpoint takes longer than **10 seconds** to reply, Boble gives up. The delivery is recorded as failed with a timeout error in your event log, and you can replay it later.

This is why your handler should be fast — acknowledge with `200` first, then do any heavy work in the background.

### Best-effort delivery

Boble does **not** retry a failed delivery automatically. The failed event sits in your event log until you manually resend it.

### Response body capture

Boble stores the first 4 KB of whatever your endpoint replies. That's useful when you debug a failed delivery from the dashboard — you can see the error message your service returned. Long responses are simply truncated.

## What you should do

### Always verify the signature

Even for test events. See [Signature verification](/webhooks/signature-verification).

### Reply fast

Reply `200` as quickly as you can — ideally well under a second. If your handler needs to call out to another service (send a Discord message, create a Mailchimp contact), enqueue the work to a background job and acknowledge first. Otherwise you risk hitting the 10-second timeout and having your event marked as failed.

### Handle resends safely

When you resend an event manually, Boble dispatches a brand-new delivery with the same data but a new envelope `id`. If your handler isn't careful, this can double-apply side effects (sending the same welcome email twice, creating two contacts).

The safe pattern is to dedupe based on a value derived from `data.object` — typically `data.object.id` together with the event `type`. See [Payload structure](/webhooks/payload-structure#avoiding-double-application).

### Rotate the secret if it leaks

If you suspect the signing secret has been exposed (a leaked log file, a former contractor with access to your env), rotate it from your dashboard. All your promotion endpoints share the same secret, so a single rotation covers everything.
