integrating-stripe-webhooks
Provides solutions for Stripe webhook integration, addressing raw body parsing and signature verification issues across frameworks.
Install this skill
Security score
The integrating-stripe-webhooks skill was audited on Mar 4, 2026 and we found 41 security issues across 3 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 151 | const successUrl = `${origin}/orgs?name=${orgName}&subscription=success`; |
Template literal with variable interpolation in command context
| 154 | const successUrl = `${origin}/orgs?name=${encodeURIComponent(orgName)}&subscription=success`; |
Webhook reference - potential data exfiltration
| 2 | name: integrating-stripe-webhooks |
Webhook reference - potential data exfiltration
| 3 | description: Use when implementing Stripe webhook endpoints and getting 'Raw body not available' or signature verification errors - provides raw body parsing solutions and subscription period field fi |
Webhook reference - potential data exfiltration
| 6 | # Integrating Stripe Webhooks |
Webhook reference - potential data exfiltration
| 10 | Stripe webhooks require raw request bodies for signature verification. Most web frameworks parse JSON automatically, breaking verification. This skill provides framework-specific solutions for the raw |
Webhook reference - potential data exfiltration
| 15 | - Getting "Raw body not available" errors from Stripe webhooks |
Webhook reference - potential data exfiltration
| 16 | - Webhook signature verification fails with 400 errors |
Webhook reference - potential data exfiltration
| 17 | - Implementing new Stripe webhook endpoints |
Webhook reference - potential data exfiltration
| 19 | - Webhooks return 404 (route registration issues) |
Webhook reference - potential data exfiltration
| 22 | - General Stripe API integration (not webhooks) |
Webhook reference - potential data exfiltration
| 32 | | 404 on webhook endpoint | Register webhook route inside API prefix | |
Webhook reference - potential data exfiltration
| 51 | req.rawBody = body; // Store for webhooks |
Webhook reference - potential data exfiltration
| 56 | // In webhook handler |
Webhook reference - potential data exfiltration
| 58 | const event = stripe.webhooks.constructEvent( |
Webhook reference - potential data exfiltration
| 59 | rawBody, signature, webhookSecret |
Webhook reference - potential data exfiltration
| 66 | // Define webhook route BEFORE express.json() middleware |
Webhook reference - potential data exfiltration
| 67 | app.post('/webhooks/stripe', |
Webhook reference - potential data exfiltration
| 70 | const event = stripe.webhooks.constructEvent( |
Webhook reference - potential data exfiltration
| 73 | webhookSecret |
Webhook reference - potential data exfiltration
| 78 | app.use(express.json()); // After webhook route |
Webhook reference - potential data exfiltration
| 84 | @app.post('/webhooks/stripe') |
Webhook reference - potential data exfiltration
| 85 | async def stripe_webhook(request: Request): |
Webhook reference - potential data exfiltration
| 89 | event = stripe.Webhook.construct_event( |
Webhook reference - potential data exfiltration
| 90 | payload, signature, webhook_secret |
Webhook reference - potential data exfiltration
| 122 | **Cause:** Webhook routes registered outside API prefix. |
Webhook reference - potential data exfiltration
| 125 | // ❌ WRONG - creates /webhooks/stripe instead of /api/v1/webhooks/stripe |
Webhook reference - potential data exfiltration
| 131 | await server.register(webhookRoutes, { prefix: '/webhooks' }); // Outside! |
Webhook reference - potential data exfiltration
| 138 | await api.register(webhookRoutes, { prefix: '/webhooks' }); // Inside |
Webhook reference - potential data exfiltration
| 161 | - [ ] Register webhook routes inside API prefix (if using one) |
Webhook reference - potential data exfiltration
| 162 | - [ ] Set `STRIPE_WEBHOOK_SECRET` environment variable |
Webhook reference - potential data exfiltration
| 163 | - [ ] Verify webhook secret is configured before processing |
Webhook reference - potential data exfiltration
| 165 | **Webhook Handler:** |
Webhook reference - potential data exfiltration
| 168 | - [ ] Use `stripe.webhooks.constructEvent()` for verification |
Webhook reference - potential data exfiltration
| 192 | # Forward webhooks to local server |
Webhook reference - potential data exfiltration
| 193 | stripe listen --forward-to localhost:3000/api/v1/webhooks/stripe |
Webhook reference - potential data exfiltration
| 204 | - Webhooks fail with 400 "Invalid signature" |
Webhook reference - potential data exfiltration
| 210 | - Webhooks verify successfully |
Webhook reference - potential data exfiltration
| 217 | - [Stripe Webhook Signature Verification](https://stripe.com/docs/webhooks/signatures) |
External URL reference
| 217 | - [Stripe Webhook Signature Verification](https://stripe.com/docs/webhooks/signatures) |
External URL reference
| 218 | - [Stripe Subscription Object](https://stripe.com/docs/api/subscriptions/object) |
Install this skill with one command
/learn @pr-pm/integrating-stripe-webhooks