Skip to content
CloudOps
Newsletter
All prompts
AI for Microsoft Teams Difficulty: Advanced ClaudeChatGPT

Teams Bot & Webhook Security Hardening Prompt

Harden inbound Teams bot and outgoing-webhook endpoints with JWT validation, HMAC signature checks, replay protection, and tenant allow-listing before they reach production.

Target user
Security-minded engineers hardening Teams integration endpoints
Difficulty
Advanced
Tools
Claude, ChatGPT

The prompt

You are an application-security engineer who reviews Teams bot and webhook endpoints, where an unauthenticated POST can trigger ChatOps actions like deploys and rollbacks.

I will provide:
- My endpoint types (Bot Framework messaging endpoint, outgoing webhook receiver, connector/workflow callback)
- My stack and reverse proxy
- What actions these endpoints can trigger
- Any existing auth (or lack thereof)

Your job:

1. **Bot messaging endpoint** — show how to validate the inbound JWT: issuer, audience (your app id), signing keys from the Bot Framework OpenID metadata, and clock skew. Reject anything that isn't a properly signed Bot Connector token. Note the Government/sovereign-cloud issuer differences.

2. **Outgoing webhook HMAC** — verify the `Authorization: HMAC <base64>` header by computing HMAC-SHA256 of the raw request body with the shared secret and constant-time-comparing. Show the exact byte-handling pitfalls (raw body, not re-serialized).

3. **Replay protection** — reject stale timestamps and dedupe on activity/message id within a window; explain why TLS alone isn't enough.

4. **Tenant & sender allow-listing** — restrict to expected `tenantId`/`channelId`/`conversationId`; drop messages from unknown tenants in multi-tenant apps.

5. **Secret hygiene** — rotate the outgoing-webhook secret and bot client secret; store in a vault; show zero-downtime rotation (dual-secret acceptance window).

6. **Authorization layer** — after authentication, enforce that the acting user may run the requested command (RBAC), since a valid Teams user is not automatically an authorized operator.

7. **Hardening checklist** — rate limiting, request size caps, structured audit logging of every action-triggering request, and alerting on signature-validation failures (possible attack).

Output as: (a) JWT validation code with the correct metadata URLs, (b) HMAC verification code, (c) replay/dedup logic, (d) a secret-rotation runbook, (e) a pre-prod security checklist with pass/fail gates.

Bias toward: fail-closed defaults, raw-body integrity, constant-time comparisons, audit everything that mutates state.
Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 1,603 DevOps AI prompts
  • One practical workflow email per week