Skip to content

security: generic webhook endpoint has no HMAC signing verification (OPERATIONS.md item 6.1 misleading) #61

Open
Open
security: generic webhook endpoint has no HMAC signing verification (OPERATIONS.md item 6.1 misleading)#61
Labels
bugSomething isn't working
@singret

Description

@singret
singret
opened on May 4, 2026

Problem

docs/OPERATIONS.md item 6.1 tells operators:

WEBHOOK_SIGNING_SECRET set if using the generic webhook endpoint — unsigned requests rejected

This env var does not exist in the codebase. The generic webhook handler (/api/v1/webhooks/generic) accepts any payload with no signature verification. The checklist is misleading operators into believing a security control is active when it is not.

Impact

Operators following the production checklist will try to set WEBHOOK_SIGNING_SECRET and assume unsigned requests are rejected — but they are silently accepted regardless.

Options

Option A (quick fix): Remove item 6.1 from docs/OPERATIONS.md since the feature doesn't exist.

Option B (implement it): Add an optional WEBHOOK_SIGNING_SECRET env var. When set, the generic webhook middleware verifies an X-Webhook-Signature: sha256=<hmac> header and rejects unsigned payloads with 401. This is a real security need for production.

Option B is preferred — without it, anyone who knows the generic webhook URL can inject arbitrary alerts.

Found during

Production readiness checklist run (OPE-103).

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions