GuardAPI Logo
GuardAPI

Fix Insecure Webhooks in Feathers

Webhooks in FeathersJS are often low-hanging fruit for attackers. If you're exposing an endpoint like /webhooks/payments without cryptographic verification, you're essentially handing over an unauthenticated admin API. Attackers can spoof events, bypass payment gates, or trigger internal logic by replaying captured payloads. Real security requires strict HMAC signature verification and timestamp checking to prevent replay attacks.

The Vulnerable Pattern

app.use('/webhooks/stripe', {
  create: async (data, params) => {
    // VULNERABLE: No signature verification
    // An attacker can POST any JSON to this endpoint
    const { type, data: { object } } = data;
    if (type === 'checkout.session.completed') {
      await app.service('orders').patch(object.metadata.orderId, { status: 'paid' });
    }
    return { received: true };
  }
});

The Secure Implementation

The vulnerability stems from trusting the HTTP request body without verifying its origin. In the secure implementation, we use a shared secret known only to the provider and our server. We compute a SHA256 HMAC of the raw request body and compare it to the signature provided in the headers. If they don't match, the request is dropped. Note: In Feathers/Express, you must ensure you are hashing the raw buffer if the provider computes signatures based on the raw body, as JSON stringification can sometimes alter the payload structure and break verification.

const crypto = require('crypto');
const { BadRequest } = require('@feathersjs/errors');

// Middleware to verify HMAC signature
const verifySignature = (req, res, next) => {
const signature = req.headers[‘x-webhook-signature’];
const secret = process.env.WEBHOOK_SECRET;
const hmac = crypto.createHmac(‘sha256’, secret)
.update(JSON.stringify(req.body))
.digest(‘hex’);


if (signature !== hmac) {
throw new BadRequest(‘Invalid webhook signature’);
}
next();
};


// Apply to specific route before processing
app.post(‘/webhooks/stripe’, verifySignature, async (req, res) => {
const { type, data } = req.body;
// Process verified data…
res.status(200).json({ status: ‘verified’ });
});

System Alert • ID: 8072
Target: Feathers API
Potential Vulnerability

Your Feathers API might be exposed to Insecure Webhooks

74% of Feathers apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X