How to fix Insecure Webhooks
in Vapor (Swift)
Executive Summary
Insecure webhooks are a prime target for attackers looking to bypass authentication and inject unauthorized data into your backend. If your Vapor application processes incoming POST requests from third-party services (like GitHub or Stripe) without verifying the HMAC signature, you're essentially providing an unauthenticated API endpoint. This guide demonstrates how to implement cryptographic signature verification to ensure payload integrity and origin authenticity.
The Vulnerable Pattern
app.post("webhook") { req -> HTTPStatus in
// VULNERABILITY: No signature verification.
// Anyone can send a POST request to this endpoint with a forged payload.
let payload = try req.content.decode(WebhookPayload.self)
try await processOrder(payload)
return .ok
}The Secure Implementation
The secure implementation mitigates spoofing and data tampering by performing three critical steps: 1. It extracts the raw request body before decoding, ensuring the hash is calculated on the exact data received. 2. It uses HMAC-SHA256 with a shared secret stored in environment variables to generate a local signature. 3. It performs a comparison against the provider's signature. Note: In a production environment, ensure the comparison is constant-time to prevent timing side-channel attacks, and always use the raw byte buffer for HMAC calculation rather than a serialized string to avoid encoding discrepancies.
import Cryptoapp.post(“webhook”) { req -> HTTPStatus in guard let signature = req.headers.first(name: “X-Hub-Signature-256”), let bodyData = req.body.data else { throw Abort(.unauthorized) }
let secret = Environment.get("WEBHOOK_SECRET") ?? "" let key = SymmetricKey(data: Data(secret.utf8)) let signatureData = Data(signature.replacingOccurrences(of: "sha256=", with: "").hexBytes) // Calculate HMAC-SHA256 let authenticationCode = HMAC<SHA256>.authenticationCode(for: bodyData, using: key) // Secure comparison to prevent timing attacks guard Data(authenticationCode) == signatureData else { throw Abort(.unauthorized) } let payload = try JSONDecoder().decode(WebhookPayload.self, from: bodyData) try await processOrder(payload) return .ok}
// Helper for hex string conversion extension String { var hexBytes: [UInt8] { var bytes = UInt8 var chars = Array(self) for i in stride(from: 0, to: chars.count, by: 2) { let chunk = String(chars[i..<min(i + 2, chars.count)]) if let byte = UInt8(chunk, radix: 16) { bytes.append(byte) } } return bytes } }
Your Vapor (Swift) API
might be exposed to Insecure Webhooks
74% of Vapor (Swift) apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.