Webhooks bypass Zero Trust but verify signatures

Severity: Critical

Check automatically:

1. Find webhook endpoints in codebase:

   grep -r -i "webhook" --include="*.ts" --include="*.js" --include="*.py" --include="*.rb" . | grep -i "route\|endpoint\|handler\|post\|app\."
   

2. Check for signature verification in webhook handlers:

   grep -r -i "signature\|verify\|hmac\|sha256\|x-hub-signature\|stripe-signature\|svix" --include="*.ts" --include="*.js" --include="*.py" . | head -30
   

3. Check for known webhook libraries:

   grep -i "svix\|stripe\|webhook" package.json requirements.txt Gemfile 2>/dev/null
   

4. Check Cloudflare Access bypass rules (if API available):

   curl -s "https://api.cloudflare.com/client/v4/accounts/{account_id}/access/apps/{app_id}/policies" \
     -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" | jq '.result[] | select(.decision == "bypass")'
   

5. Check Terraform for bypass rules:

   grep -A 10 "cloudflare_access_policy" terraform/*.tf 2>/dev/null | grep -i "bypass\|service_token"
   

Ask user:

• What webhook providers are used? (Stripe, GitHub, Twilio, etc.)
• Are webhook endpoints excluded from Zero Trust?
• How is signature verification implemented?

Pass criteria:

• Webhook endpoints identified
• Each webhook verifies signatures before processing
• Signature secret stored securely (env var, secrets manager)

Fail criteria:

• Webhooks bypass Zero Trust with no signature verification
• Signature verification missing or commented out
• Webhook secrets hardcoded

Evidence to capture:

• List of webhook endpoints
• Signature verification method per endpoint
• Webhook providers in use
• Bypass rules in Cloudflare Access (if applicable)

Cross-reference with:

• ENV-008 (Zero Trust protection)
• Section 3 (Authentication - webhook signature verification)
• Section 29 (Secrets Management - webhook secrets)

---