Fix Insecure Webhooks in Tide

Insecure webhooks are a low-hanging fruit for attackers. Without signature verification, your Tide-based endpoint is a public API that trusts any arbitrary POST body. This allows for event spoofing, data corruption, and unauthorized state changes. To secure this, you must implement HMAC-SHA256 signature validation to ensure the payload originated from a trusted source and wasn't tampered with in transit.

The Vulnerable Pattern

func (app *App) WebhookHandler(c *tide.Context) {
	var event WebhookEvent
	if err := c.BindJSON(&event); err != nil {
		c.Error(400, "Invalid payload")
		return
	}
	// VULNERABILITY: Processing payload without verifying X-Tide-Signature
	app.ProcessEvent(event)
	c.JSON(200, tide.H{"status": "processed"})
}

The Secure Implementation

The secure implementation enforces a cryptographic handshake. 1. It extracts the 'X-Tide-Signature' header. 2. It reads the raw request body to ensure integrity. 3. It computes a local HMAC-SHA256 hash using a pre-shared 'WEBHOOK_SECRET'. 4. It uses 'hmac.Equal' for constant-time comparison, which prevents timing attacks. If the signature is missing or incorrect, the request is aborted before any business logic is executed.

func (app *App) WebhookHandler(c *tide.Context) {
	signature := c.GetHeader("X-Tide-Signature")
	secret := []byte(os.Getenv("WEBHOOK_SECRET"))
	body, _ := io.ReadAll(c.Request.Body)
	c.Request.Body = io.NopCloser(bytes.NewBuffer(body)) // Restore body for binding
h := hmac.New(sha256.New, secret)
h.Write(body)
expectedSig := hex.EncodeToString(h.Sum(nil))

if !hmac.Equal([]byte(signature), []byte(expectedSig)) {
	c.Abort(401)
	return
}

var event WebhookEvent
c.BindJSON(&event)
app.ProcessEvent(event)
c.JSON(200, tide.H{"status": "verified"})
}