webhook-security
Secure webhook endpoints. Use when a user asks to verify webhook signatures, prevent replay attacks, handle webhook retries, or implement secure webhook receivers for Stripe, GitHub, Slack, or any provider.
Best use case
webhook-security is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Secure webhook endpoints. Use when a user asks to verify webhook signatures, prevent replay attacks, handle webhook retries, or implement secure webhook receivers for Stripe, GitHub, Slack, or any provider.
Teams using webhook-security should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/webhook-security/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How webhook-security Compares
| Feature / Agent | webhook-security | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Secure webhook endpoints. Use when a user asks to verify webhook signatures, prevent replay attacks, handle webhook retries, or implement secure webhook receivers for Stripe, GitHub, Slack, or any provider.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Webhook Security
## Overview
Webhooks deliver real-time data to your app, but an open endpoint is an attack surface. Without verification, anyone can POST fake events to your webhook URL. This skill covers signature verification, replay protection, idempotency, and reliable processing patterns.
## Instructions
### Step 1: Signature Verification
Every major provider signs webhook payloads with HMAC. Verify before processing.
```typescript
// lib/webhooks/verify.ts — Generic HMAC verification
import crypto from 'crypto'
export function verifyHmacSignature(
payload: string | Buffer,
signature: string,
secret: string,
algorithm: string = 'sha256'
): boolean {
const expected = crypto
.createHmac(algorithm, secret)
.update(payload)
.digest('hex')
// Timing-safe comparison prevents timing attacks
return crypto.timingSafeEqual(
Buffer.from(signature),
Buffer.from(expected)
)
}
```
### Step 2: Stripe Webhook Verification
```typescript
// routes/webhooks/stripe.ts — Stripe webhook handler
import Stripe from 'stripe'
const stripe = new Stripe(process.env.STRIPE_SECRET_KEY!)
export async function handleStripeWebhook(req: Request) {
const body = await req.text() // raw body, NOT parsed JSON
const sig = req.headers.get('stripe-signature')!
let event: Stripe.Event
try {
event = stripe.webhooks.constructEvent(
body,
sig,
process.env.STRIPE_WEBHOOK_SECRET!
)
} catch (err) {
console.error('Webhook signature verification failed:', err.message)
return new Response('Invalid signature', { status: 400 })
}
// Process event idempotently
switch (event.type) {
case 'checkout.session.completed':
await handleCheckoutComplete(event.data.object)
break
case 'invoice.payment_failed':
await handlePaymentFailed(event.data.object)
break
case 'customer.subscription.deleted':
await handleSubscriptionCanceled(event.data.object)
break
}
return new Response('OK', { status: 200 })
}
```
### Step 3: Replay Protection
```typescript
// lib/webhooks/idempotency.ts — Prevent duplicate processing
import { redis } from '../redis'
export async function processOnce(
eventId: string,
handler: () => Promise<void>
): Promise<boolean> {
// Set with NX (only if not exists) and 48h expiry
const isNew = await redis.set(`webhook:${eventId}`, '1', 'NX', 'EX', 172800)
if (!isNew) {
console.log(`Duplicate webhook ${eventId}, skipping`)
return false
}
try {
await handler()
return true
} catch (err) {
// Remove key so retry can work
await redis.del(`webhook:${eventId}`)
throw err
}
}
// Usage
await processOnce(event.id, async () => {
await db.order.update({ where: { stripeSessionId: session.id }, data: { status: 'paid' } })
})
```
### Step 4: GitHub Webhook Verification
```typescript
// routes/webhooks/github.ts — GitHub webhook handler
import crypto from 'crypto'
function verifyGitHubSignature(payload: string, signature: string, secret: string): boolean {
const expected = 'sha256=' + crypto
.createHmac('sha256', secret)
.update(payload)
.digest('hex')
return crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected))
}
export async function handleGitHubWebhook(req: Request) {
const body = await req.text()
const sig = req.headers.get('x-hub-signature-256')!
if (!verifyGitHubSignature(body, sig, process.env.GITHUB_WEBHOOK_SECRET!)) {
return new Response('Invalid signature', { status: 401 })
}
const event = req.headers.get('x-github-event')
const payload = JSON.parse(body)
switch (event) {
case 'push':
await handlePush(payload)
break
case 'pull_request':
await handlePR(payload)
break
}
return new Response('OK', { status: 200 })
}
```
## Guidelines
- ALWAYS verify signatures before processing. Never trust unverified webhooks.
- Use `crypto.timingSafeEqual` — regular string comparison leaks timing information.
- Parse the raw body for verification, not JSON-parsed data (parsing may alter the payload).
- Implement idempotency — webhooks are at-least-once delivery; you WILL receive duplicates.
- Return 200 quickly and process asynchronously (queue) to avoid timeout retries.
- Store webhook event IDs for 24-48h to detect replays.Related Skills
webhook-processor
Build and configure webhook processing systems with retry logic, signature verification, and dead letter queues. Use when you need to receive, validate, and reliably process incoming webhooks from payment providers, version control platforms, or third-party APIs. Trigger words: webhook, callback URL, event handler, retry, idempotency, payload processing.
security-audit
Scan code for security vulnerabilities, misconfigurations, and exposed secrets. Use when a user asks to audit security, find vulnerabilities, check for OWASP issues, scan for secrets, review dependencies for CVEs, detect SQL injection, find XSS vulnerabilities, or harden an application. Covers OWASP Top 10, dependency auditing, secrets detection, and generates fix recommendations with severity ratings.
gcp-waf-security
Apply the Google Cloud Well-Architected Framework's Security pillar — security by design, zero trust with IAP and BeyondCorp, shift-left scanning in CI/CD, Binary Authorization, VPC Service Controls, Cloud Armor, Sensitive Data Protection, and Security Command Center. Use for security architecture reviews, hardening checklists, and compliance evaluations.
zustand
You are an expert in Zustand, the small, fast, and scalable state management library for React. You help developers manage global state without boilerplate using Zustand's hook-based stores, selectors for performance, middleware (persist, devtools, immer), computed values, and async actions — replacing Redux complexity with a simple, un-opinionated API in under 1KB.
zoho
Integrate and automate Zoho products. Use when a user asks to work with Zoho CRM, Zoho Books, Zoho Desk, Zoho Projects, Zoho Mail, or Zoho Creator, build custom integrations via Zoho APIs, automate workflows with Deluge scripting, sync data between Zoho apps and external systems, manage leads and deals, automate invoicing, build custom Zoho Creator apps, set up webhooks, or manage Zoho organization settings. Covers Zoho CRM, Books, Desk, Projects, Creator, and cross-product integrations.
zod
You are an expert in Zod, the TypeScript-first schema declaration and validation library. You help developers define schemas that validate data at runtime AND infer TypeScript types at compile time — eliminating the need to write types and validators separately. Used for API input validation, form validation, environment variables, config files, and any data boundary.
zipkin
Deploy and configure Zipkin for distributed tracing and request flow visualization. Use when a user needs to set up trace collection, instrument Java/Spring or other services with Zipkin, analyze service dependencies, or configure storage backends for trace data.
zig
Expert guidance for Zig, the systems programming language focused on performance, safety, and readability. Helps developers write high-performance code with compile-time evaluation, seamless C interop, no hidden control flow, and no garbage collector. Zig is used for game engines, operating systems, networking, and as a C/C++ replacement.
zed
Expert guidance for Zed, the high-performance code editor built in Rust with native collaboration, AI integration, and GPU-accelerated rendering. Helps developers configure Zed, create custom extensions, set up collaborative editing sessions, and integrate AI assistants for productive coding.
zeabur
Expert guidance for Zeabur, the cloud deployment platform that auto-detects frameworks, builds and deploys applications with zero configuration, and provides managed services like databases and message queues. Helps developers deploy full-stack applications with automatic scaling and one-click marketplace services.
zapier
Automate workflows between apps with Zapier. Use when a user asks to connect apps without code, automate repetitive tasks, sync data between services, or build no-code integrations between SaaS tools.
zabbix
Configure Zabbix for enterprise infrastructure monitoring with templates, triggers, discovery rules, and dashboards. Use when a user needs to set up Zabbix server, configure host monitoring, create custom templates, define trigger expressions, or automate host discovery and registration.