GuardAPI Logo
GuardAPI

Fix Insecure Webhooks in Bottle

Insecure webhooks are a prime target for SSRF, data injection, and unauthorized state changes. In Bottle, developers often blindly trust the POST body. If you aren't verifying the HMAC signature of the incoming payload, you're essentially leaving a public API endpoint wide open for attackers to spoof legitimate services like GitHub or Stripe. Real security requires a shared secret and constant-time comparison.

The Vulnerable Pattern

from bottle import post, request

@post(‘/api/webhook’)
def insecure_webhook():
# VULNERABLE: No authentication or signature verification
data = request.json
action = data.get(‘action’)
if action == ‘deploy’:
trigger_deployment()
return {‘status’: ‘received’}

The Secure Implementation

The fix implements HMAC (Hash-based Message Authentication Code) verification. By reading the raw request body and hashing it with a pre-shared secret, we generate a local signature. We then use hmac.compare_digest() to compare our local signature against the header provided by the sender. This function is critical as it uses constant-time comparison, neutralizing side-channel timing attacks that could reveal the secret byte-by-byte. Without this, an attacker can forge any payload and trigger sensitive actions on your backend.

import hmac
import hashlib
import os
from bottle import post, request, HTTPError

Shared secret stored in environment variables


WEBHOOK_SECRET = os.environ.get(‘WEBHOOK_SECRET’, ”).encode()


@post(‘/api/webhook’)
def secure_webhook():
# 1. Grab the signature header (e.g., GitHub style)
signature = request.get_header(‘X-Hub-Signature-256’)
if not signature:
raise HTTPError(401, ‘Missing signature’)


# 2. Get raw body for HMAC calculation
payload = request.body.read()

# 3. Compute local HMAC
expected_signature = 'sha256=' + hmac.new(WEBHOOK_SECRET, payload, hashlib.sha256).hexdigest()

# 4. Constant-time comparison to prevent timing attacks
if not hmac.compare_digest(expected_signature, signature):
    raise HTTPError(403, 'Invalid signature')

# 5. Only now process the verified data
return {'status': 'verified'}</code></pre>
System Alert • ID: 9648
Target: Bottle API
Potential Vulnerability

Your Bottle API might be exposed to Insecure Webhooks

74% of Bottle apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X