All security checks
Vulnerability DetectionA05:2021A08:2021

Webhook Signature Verification Scanner

Find webhook handlers that appear to trust provider events without verifying signatures.

Webhook endpoints mutate payment, auth, email, deployment, and repository state. This scanner reviews connected GitHub code for webhook-like routes and checks whether provider signature verification is present before payload trust.

What this scanner does

Searches webhook route files for Stripe, GitHub, Clerk, Svix, Shopify, Paddle, SendGrid, Resend, Twilio, Supabase, Vercel, and Netlify handlers. Flags handlers with no known signature verification pattern and Stripe handlers that may not use the raw body.

Why it matters

Unsigned webhooks can be forged by anyone who discovers the endpoint. Attackers can fake paid invoices, trigger internal workflows, or mutate application data.

Common findings

  • Webhook route with no signature verification
  • Stripe webhook parsing JSON before verification
  • Provider event handler trusting unsigned headers
  • Webhook signing secret not enforced

OWASP Top 10 coverage

A05:2021Security Misconfiguration
A08:2021Software & Data Integrity Failures

Run this check on your site

Get a full security report with remediation guidance in 30 seconds. No setup required.

Scan your site freeView pricing

Related security checks

Vulnerability Detection

Source Code SAST Scanner

Scan connected GitHub repositories for high-risk auth, secret, CORS, SQL, SSRF, and cookie patterns.

Infrastructure Check

GitHub Repository Security Scanner

Scan your GitHub repository for leaked secrets, misconfigured Actions, and supply chain risks.

Vulnerability Detection

API Key Exposure Scanner

Detect exposed API keys, tokens, and secrets in your frontend code and responses.

All security checksSecurity blog