Missing Webhook Verification

Webhook routes without signature verification

criticalSecuritymissing-webhook-verification

Why this matters

Without signature verification, anyone can send fake webhook events to your endpoint. They can trigger payments, create accounts, or corrupt your data by forging events.

✗ Bad

export async function POST(req: Request) {
  const event = await req.json();
  if (event.type === "payment_intent.succeeded") {
    await fulfillOrder(event.data.object);
  }
  return new Response("ok");
}

✓ Good

import Stripe from "stripe";

const stripe = new Stripe(process.env.STRIPE_SECRET_KEY!);

export async function POST(req: Request) {
  const body = await req.text();
  const sig = req.headers.get("stripe-signature")!;
  const event = stripe.webhooks.constructEvent(
    body, sig, process.env.STRIPE_WEBHOOK_SECRET!
  );
  if (event.type === "payment_intent.succeeded") {
    await fulfillOrder(event.data.object);
  }
  return new Response("ok");
}

How to fix

Verify the webhook signature using the provider's SDK (Stripe, GitHub, etc.) before processing any event. Reject requests with invalid or missing signatures.

All rules