GuardAPI Logo
GuardAPI

Fix Insecure Webhooks in Gatsby

Insecure webhooks in Gatsby-based CI/CD pipelines are a prime target for resource exhaustion and DoS attacks. If your build trigger endpoint doesn't verify the caller, an attacker can spam POST requests to force continuous rebuilds, burning through your build minutes and locking your deployment queue. Secure webhooks require cryptographic signature verification to ensure the payload originated from a trusted source like Contentful, Strapi, or GitHub.

The Vulnerable Pattern

export default function handler(req, res) {
  // VULNERABLE: Endpoint accepts any POST request without authentication
  if (req.method === 'POST') {
    console.log('Build trigger received, starting Gatsby build...');
    // Logic to trigger build via API or local command
    triggerBuild();
    return res.status(200).send('Build Started');
  }
  res.status(405).send('Method Not Allowed');
}

The Secure Implementation

The vulnerability lies in the lack of origin validation. The fix implements an HMAC (Hash-based Message Authentication Code) check. We generate a hash of the incoming request body using a shared secret and compare it to the signature provided in the headers. Crucially, we use `crypto.timingSafeEqual` to compare the buffers; standard string comparison is vulnerable to timing side-channel attacks that can leak the secret. Always store your `WEBHOOK_SECRET` in environment variables, never hardcoded.

import crypto from 'crypto';

export default function handler(req, res) {
const WEBHOOK_SECRET = process.env.GATSBY_WEBHOOK_SECRET;
const signature = req.headers[‘x-webhook-signature’]; // Header name varies by provider


if (!signature) {
return res.status(401).send(‘Missing signature’);
}


const hmac = crypto.createHmac(‘sha256’, WEBHOOK_SECRET);
const body = JSON.stringify(req.body);
const digest = hmac.update(body).digest(‘hex’);


// Use timingSafeEqual to prevent timing attacks
const trusted = Buffer.from(digest, ‘ascii’);
const untrusted = Buffer.from(signature, ‘ascii’);


if (trusted.length !== untrusted.length || !crypto.timingSafeEqual(trusted, untrusted)) {
return res.status(403).send(‘Invalid signature’);
}


triggerBuild();
return res.status(200).send(‘Build Verified and Triggered’);
}

System Alert • ID: 5906
Target: Gatsby API
Potential Vulnerability

Your Gatsby API might be exposed to Insecure Webhooks

74% of Gatsby apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X