🔥 3-day streak
CompTIA SecurityX (CAS-005)114 / 120
Question 114 of 120
A DevSecOps team exposes an internal deployment automation endpoint that receives webhooks from a third-party CI/CD SaaS provider. The provider signs each payload with an HMAC-SHA256 signature using a shared secret and includes a timestamp header. During a security review, an engineer notes that the automation service currently verifies only that the request originates from the provider's published IP ranges before triggering a production deployment. Which change most effectively prevents both forged and replayed deployment requests?
Reviewed for accuracy · Report an issueNext question