Validate and constrain webhook URLs to https and block private/loopback hosts

[mikewheeleer]

Harden webhook URL validation against private and non-https targets

Description

src/app/webhooks/page.tsx accepts any type="url" value and POSTs it straight to /api/v1/webhooks with no scheme or host checks. A user can register http:// or internal hosts like http://localhost / http://169.254.169.254, encouraging an SSRF-prone delivery target on the backend. This issue adds defensive client-side validation and clear guidance.

Requirements and context

• Repository scope: StableRoute-Org/Stableroute-frontend only.
• Parse the URL with the URL constructor and reject non-https: schemes with an inline role="alert" message before any POST.
• Block obvious private/loopback/link-local hosts (localhost, 127.0.0.0/8, ::1, 10., 192.168., 172.16–31., 169.254.) on the client as a first line of defence, with a note that the backend must enforce the same.
• Keep the comma-separated events parsing intact and surface the validation message accessibly.
• Document that client validation is advisory and server-side SSRF protection is authoritative.

Suggested execution

• Fork the repo and create a branch
• git checkout -b security/webhooks-19-url-validation
• Implement changes
  • Write code in: src/app/webhooks/page.tsx; extract a validateWebhookUrl helper.
  • Write comprehensive tests in: create src/app/webhooks/page.test.tsx covering accepted and rejected URLs.
  • Add documentation: add a security note in README.md about SSRF and the client/server split.
  • Add JSDoc to the validator.
  • Validate that no blocked URL ever reaches apiPost.
• Test and commit

Test and commit

• Run npm run lint, npm test, and npm run build.
• Cover edge cases: https public host (accept), http (reject), localhost/127.0.0.1/169.254.x (reject), and malformed URL.
• Include the full npm test output and a short threat-model note in the PR description.

Example commit message

security: validate webhook URLs against non-https and private hosts

Guidelines

• Minimum 95 percent test coverage for impacted modules.
• Clear, reviewer-focused documentation.
• Timeframe: 96 hours.

Community & contribution rewards

• 💬 Join the StableRoute community on Discord for questions, reviews, and faster merges: https://discord.gg/37aCpusvx
• ⭐ This is a GrantFox OSS / Official Campaign task and may be rewarded. When your PR is merged you'll be prompted to rate the project — if this issue and the maintainers helped you ship, we'd be grateful for a 5-star rating. Clear questions in Discord and tidy, well-tested PRs are the fastest path to a merge and a reward.

[jaynomyaro]

Hi! I’m a full-stack developer with a strong blockchain background. I’d love to handle this issue and can deliver a clean, reliable solution. Kindly assign it to me.

[Menjay7]

Hi! I came across this issue and would love to work on it. I have experience with similar tasks and I'm confident I can investigate, implement a clean solution, and thoroughly test it before submitting a PR. If the issue is still open, I would appreciate it if you could assign it to me. Thank you!