front-webhook
Handles Front webhook events for support interactions, enabling conversation ingestion and message handling through API integrations.
Install this skill
Security score
The front-webhook skill was audited on Feb 9, 2026 and we found 31 security issues across 4 threat categories, including 2 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 41 | Buffer.from(`${timestamp}:`, 'utf8'), |
Template literal with variable interpolation in command context
| 160 | return `inb_${decimalId.toString(36)}` |
Curl to non-GitHub URL
| 167 | curl -H "Authorization: Bearer $FRONT_API_TOKEN" "https://api2.frontapp.com/inboxes" | jq '._results[] | {id, name}' |
Webhook reference - potential data exfiltration
| 2 | name: front-webhook |
Webhook reference - potential data exfiltration
| 3 | description: Handle Front webhook events for the support platform. Use when implementing conversation ingestion, message handlers, Front API integrations, or webhook signature verification. |
Webhook reference - potential data exfiltration
| 7 | # Front Webhook Handler |
Webhook reference - potential data exfiltration
| 9 | Front is the **source of truth for all conversations**. Every support interaction starts with a Front webhook. |
Webhook reference - potential data exfiltration
| 11 | ## ⚠️ CRITICAL: Webhooks Send PREVIEWS, Not Full Data |
Webhook reference - potential data exfiltration
| 13 | **This is the #1 gotcha with Front integration.** Webhooks do NOT contain the full message body or sender email. You MUST fetch via API. |
Webhook reference - potential data exfiltration
| 15 | ## Key Insight: Webhooks Send PREVIEWS |
Webhook reference - potential data exfiltration
| 17 | Front webhooks send **event previews**, NOT full data. You get: |
Webhook reference - potential data exfiltration
| 50 | When creating/updating a webhook, Front sends a validation request: |
Webhook reference - potential data exfiltration
| 60 | ## Webhook Handler Pattern |
Webhook reference - potential data exfiltration
| 65 | const secret = process.env.FRONT_WEBHOOK_SECRET |
Webhook reference - potential data exfiltration
| 72 | const result = verifyFrontWebhook(payload, headers, { secret }) |
Webhook reference - potential data exfiltration
| 104 | For local testing, use a tunnel (ngrok) and point the Front webhook to the **exact** tunnel URL: |
Webhook reference - potential data exfiltration
| 108 | # Use the https URL printed by ngrok as the webhook target |
Webhook reference - potential data exfiltration
| 111 | Do not use wildcard domains for webhook URLs. |
Webhook reference - potential data exfiltration
| 113 | ## Front Event Types (Application Webhooks) |
Webhook reference - potential data exfiltration
| 115 | | Webhook Event | API Event | Description | |
Webhook reference - potential data exfiltration
| 140 | - Webhook handler: `apps/front/app/api/webhooks/front/route.ts` |
Webhook reference - potential data exfiltration
| 142 | - Signature verification: `packages/core/src/webhooks/verify.ts` |
Webhook reference - potential data exfiltration
| 186 | FRONT_WEBHOOK_SECRET= # App signing key (32-char hex) |
Ngrok tunnel reference
| 102 | ## Local Dev (ngrok) |
Ngrok tunnel reference
| 104 | For local testing, use a tunnel (ngrok) and point the Front webhook to the **exact** tunnel URL: |
Ngrok tunnel reference
| 107 | ngrok http 3000 |
Ngrok tunnel reference
| 108 | # Use the https URL printed by ngrok as the webhook target |
Access to .env file
| 65 | const secret = process.env.FRONT_WEBHOOK_SECRET |
Access to .env file
| 128 | const front = createFrontClient(process.env.FRONT_API_TOKEN) |
External URL reference
| 152 | - UI URL: `https://app.frontapp.com/settings/tim:571743/inboxes/edit/[PHONE]/settings` |
External URL reference
| 167 | curl -H "Authorization: Bearer $FRONT_API_TOKEN" "https://api2.frontapp.com/inboxes" | jq '._results[] | {id, name}' |