webhook-security
Enhances webhook security by verifying signatures, preventing replay attacks, and ensuring reliable processing for various providers.
Install this skill
Security score
The webhook-security skill was audited on Mar 7, 2026 and we found 31 security issues across 3 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 108 | const isNew = await redis.set(`webhook:${eventId}`, '1', 'NX', 'EX', 172800) |
Template literal with variable interpolation in command context
| 111 | console.log(`Duplicate webhook ${eventId}, skipping`) |
Template literal with variable interpolation in command context
| 120 | await redis.del(`webhook:${eventId}`) |
Webhook reference - potential data exfiltration
| 2 | name: webhook-security |
Webhook reference - potential data exfiltration
| 4 | Secure webhook endpoints. Use when a user asks to verify webhook signatures, |
Webhook reference - potential data exfiltration
| 5 | prevent replay attacks, handle webhook retries, or implement secure webhook |
Webhook reference - potential data exfiltration
| 14 | - webhooks |
Webhook reference - potential data exfiltration
| 21 | # Webhook Security |
Webhook reference - potential data exfiltration
| 25 | Webhooks deliver real-time data to your app, but an open endpoint is an attack surface. Without verification, anyone can POST fake events to your webhook URL. This skill covers signature verification, |
Webhook reference - potential data exfiltration
| 31 | Every major provider signs webhook payloads with HMAC. Verify before processing. |
Webhook reference - potential data exfiltration
| 34 | // lib/webhooks/verify.ts — Generic HMAC verification |
Webhook reference - potential data exfiltration
| 56 | ### Step 2: Stripe Webhook Verification |
Webhook reference - potential data exfiltration
| 59 | // routes/webhooks/stripe.ts — Stripe webhook handler |
Webhook reference - potential data exfiltration
| 64 | export async function handleStripeWebhook(req: Request) { |
Webhook reference - potential data exfiltration
| 70 | event = stripe.webhooks.constructEvent( |
Webhook reference - potential data exfiltration
| 73 | process.env.STRIPE_WEBHOOK_SECRET! |
Webhook reference - potential data exfiltration
| 76 | console.error('Webhook signature verification failed:', err.message) |
Webhook reference - potential data exfiltration
| 100 | // lib/webhooks/idempotency.ts — Prevent duplicate processing |
Webhook reference - potential data exfiltration
| 108 | const isNew = await redis.set(`webhook:${eventId}`, '1', 'NX', 'EX', 172800) |
Webhook reference - potential data exfiltration
| 111 | console.log(`Duplicate webhook ${eventId}, skipping`) |
Webhook reference - potential data exfiltration
| 120 | await redis.del(`webhook:${eventId}`) |
Webhook reference - potential data exfiltration
| 131 | ### Step 4: GitHub Webhook Verification |
Webhook reference - potential data exfiltration
| 134 | // routes/webhooks/github.ts — GitHub webhook handler |
Webhook reference - potential data exfiltration
| 146 | export async function handleGitHubWebhook(req: Request) { |
Webhook reference - potential data exfiltration
| 150 | if (!verifyGitHubSignature(body, sig, process.env.GITHUB_WEBHOOK_SECRET!)) { |
Webhook reference - potential data exfiltration
| 172 | - ALWAYS verify signatures before processing. Never trust unverified webhooks. |
Webhook reference - potential data exfiltration
| 175 | - Implement idempotency — webhooks are at-least-once delivery; you WILL receive duplicates. |
Webhook reference - potential data exfiltration
| 177 | - Store webhook event IDs for 24-48h to detect replays. |
Access to .env file
| 62 | const stripe = new Stripe(process.env.STRIPE_SECRET_KEY!) |
Access to .env file
| 73 | process.env.STRIPE_WEBHOOK_SECRET! |
Access to .env file
| 150 | if (!verifyGitHubSignature(body, sig, process.env.GITHUB_WEBHOOK_SECRET!)) { |
Install this skill with one command
/learn @terminalskills/webhook-security