AUTH-010 critical http-endpoints

Webhooks verify signatures

All webhooks verify signatures before processing, or are behind Zero Trust

Question to ask

"Could anyone POST fake events to your webhook endpoints?"

Verification guide

Severity: Critical

Check automatically:

  1. Find webhook endpoints:

    # Common webhook path patterns
grep -rn "webhook\|/hook\|/callback\|/notify" \
  --include="*.ts" --include="*.js" . 2>/dev/null | grep -v node_modules | grep -i "route\|app\.\|router\."

# Stripe, GitHub, Slack, etc. specific
grep -rn "stripe.*webhook\|github.*webhook\|slack.*event\|twilio.*webhook" \
  --include="*.ts" --include="*.js" . 2>/dev/null | grep -v node_modules

  2. Check for signature verification:

    # Common signature verification patterns
grep -rn "verifySignature\|constructEvent\|verify.*signature\|x-hub-signature\|stripe-signature\|webhook.*secret" \
  --include="*.ts" --include="*.js" . 2>/dev/null | grep -v node_modules

# Crypto/HMAC verification
grep -rn "createHmac\|timingSafeEqual" \
  --include="*.ts" --include="*.js" . 2>/dev/null | grep -v node_modules

  3. Cross-reference webhook endpoints with verification:

    • Read each webhook handler
    • Verify signature check happens before processing payload

  4. Check for raw body access (required for signature verification):

    # Express raw body
grep -rn "rawBody\|bodyParser\.raw\|express\.raw" \
  --include="*.ts" --include="*.js" . 2>/dev/null | grep -v node_modules

Pass criteria:

  • All webhook endpoints verify signatures before processing
  • Using provider SDK methods (e.g., stripe.webhooks.constructEvent)
  • Raw body preserved for signature verification
  • Webhook secrets stored in env vars, not hardcoded

Fail criteria:

  • Webhook endpoints with no signature verification
  • Signature check after processing begins
  • Webhook secrets hardcoded in source
  • Raw body not available (signature verification will fail)

If no signature verification found, ask user: "Webhook endpoint [path] has no signature verification. Is this protected by Cloudflare Zero Trust or another mechanism? Unverified webhooks can be spoofed."

Exception:

  • Webhooks behind Cloudflare Zero Trust don't need signature verification (but document this)

Evidence to capture:

  • List of webhook endpoints found
  • Verification method per endpoint (SDK, HMAC, or none)
  • Any unverified webhooks and their protection mechanism

Section

03. Authentication & Endpoints

Infrastructure & Setup

← Previous

AUTH-009

Auth check is cheap

 Next →

ENV-001

Production environment exists