Cy
CymeroMy Vibe SaaSProtected
Search findings, deploys, users...K
Back to findings
highPreview/code onlyCode scan89% confidence
Stripe webhook is missing signature verification
A webhook handler accepts event payloads without verifying Stripe's signature header.
Why this matters
A forged webhook could grant paid access, cancel subscriptions, or corrupt billing state.
Evidence
src/app/api/stripe/webhook/route.ts:14
production evidence
1 No call to stripe.webhooks.constructEvent was found. 2 Handler parses JSON directly from request body. 3 Route writes subscription status after parsing event type.
Suggested fix
Use the raw request body and verify the stripe-signature header with STRIPE_WEBHOOK_SECRET before trusting the event.
Paste into Cursor
Update the Stripe webhook route to read the raw request body, call stripe.webhooks.constructEvent with STRIPE_WEBHOOK_SECRET, and reject requests with invalid signatures before any billing updates.