Stripe webhook signature verification allows empty secret, enabling forged events #19

New Issue

Closed

opened 2026-04-16 13:30:55 +00:00 by userAdityaa · 0 comments

userAdityaa commented 2026-04-16 13:30:55 +00:00

Contributor

Copy Link

Copy Source

Description

The backend accepts an empty Stripe webhook secret and still performs HMAC signature verification with that empty value. Because an empty HMAC key is publicly known, an attacker can forge valid Stripe-Signature headers and submit fake webhook events to the public webhook endpoint.

Expected behavior

Service should fail startup (or disable webhook handling) when STRIPE_WEBHOOK_SECRET is empty.

Actual behavior

Service starts and accepts signatures generated with an empty secret.

### Description The backend accepts an empty Stripe webhook secret and still performs HMAC signature verification with that empty value. Because an empty HMAC key is publicly known, an attacker can forge valid Stripe-Signature headers and submit fake webhook events to the public webhook endpoint. ### Expected behavior Service should fail startup (or disable webhook handling) when `STRIPE_WEBHOOK_SECRET` is empty. ### Actual behavior Service starts and accepts signatures generated with an empty secret.

userAdityaa referenced a pull request that will close this issue 2026-04-17 13:30:51 +00:00

fix: make stripe webhooks explicitly toggleable with mandatory secret validation #23

hodlbod closed this issue 2026-04-17 22:57:38 +00:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

No results found.

Labels

No items

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

hodlbod (hodlbod)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: coracle/caravel#19