Audit webhook handlers for missing or weak signature verification and propose hardened verification using constant-time comparison.
Audits webhook receivers for missing or weak signature verification (e.g., string equality on HMAC, no timestamp tolerance, no replay protection) and proposes a hardened implementation per provider.
repo_dir: project root.provider: stripe, github, slack, twilio, custom.route_glob: where webhook handlers live (e.g., src/routes/webhooks/**).provider != custom, look for known import patterns (from 'stripe' -> Stripe; crypto.createHmac near X-Hub-Signature -> GitHub).crypto.createHmac or provider-SDK call (stripe.webhooks.constructEvent).crypto.timingSafeEqual (Node) or hmac.compare_digest (Python). Plain === or == is a vulnerability.bodyParser.json() consumes the buffer, so signature must be computed before parsing.Stripe-Signature to include t=; verify a clock skew window (default 5 min).file:line and severity (critical for missing-verification, high for non-constant-time, medium for missing-timestamp).stripe.webhooks.constructEvent(rawBody, signatureHeader, secret, tolerance: 300)).webhook-audit.md with: per-handler findings, hardened code suggestions, secret-management checklist. Plus a per-handler patch file. Exit 1 if any handler lacks any verification.
Deploy the hardened handler, send a request with an invalid signature, and confirm 401 is returned. Send a request with a valid signature but a stale timestamp (over the tolerance) and confirm rejection. Use the provider's CLI (e.g., stripe trigger) to send a real signed event and confirm 2xx. Add a test case using a fixture-signed payload so future refactors don't regress.
body-parser): show the path-specific raw-body capture (express.raw({ type: 'application/json' })).Other publishers' experience with this skill. Self-rating is blocked.
Ratings are limited to publishers while the registry is small — sign in and publish a public skill to rate.
No ratings yet. Be the first.
Same domains or capabilities as amitte/webhook-signature-verifier.
Diff two OpenAPI YAML files and produce a backwards-compatibility changelog grouped into breaking, non-breaking, and additive changes.
Audit an AWS IAM policy against CloudTrail usage data and propose a minimized policy listing only actions actually invoked in the analysis window.
Map a SOC2 or ISO 27001 control to evidence artifacts in a typical engineering org — produce a list of artifacts, owners, and the query or path that produces each.
Scan a container image with Trivy or Grype and surface fixes ranked by exploitability and patch availability.
Audit a CORS configuration for over-permissive Origin, Methods, and Headers and propose a tightened policy keyed to actual cross-origin call patterns.
Tighten a Content-Security-Policy by stripping wildcards and verifying the result against actual page resource loads observed in browser logs.