CRITICALCWE-345Payment Security
Stripe Webhook Without Signature Verification
Description
Your Stripe webhook endpoint does not verify the Stripe-Signature header, allowing attackers to forge payment events.
How Vezraa Detects It
We send a test payload to your webhook endpoint and check if signature verification is properly implemented.
Real-World Impact
Fake checkout.session.completed events can grant free subscriptions, bypass payments, and trigger fulfillment of digital goods.
Fix Example
const stripe = require('stripe')(STRIPE_SECRET_KEY);
const event = stripe.webhooks.constructEvent(
req.body,
req.headers['stripe-signature'],
STRIPE_WEBHOOK_SECRET
);Affected Stacks
StripeNext.jsExpress