Rules Hub
Coding Rules Library
← Back to all rules
Rule priority, scope & exceptions
Use this to align rules with the senior-level structure (P0/P1/P2, scope, exceptions/tradeoffs).
backend ruleP0universalStack: node
securitywebhooksauthenticationintegrity
Verify webhook signatures against the raw request body before trusting the event
For inbound webhooks, verify the provider signature against the raw (unparsed) request body using the shared secret before constructing or acting on the event.
PR: vinify-backend · org-mining-2026-06Created: Jun 17, 2026
Bad example
Old codetypescript
| 1 | @Post('webhook') |
| 2 | handle(@Body() body: any) { |
| 3 | const event = JSON.parse(body); // unverified, anyone can POST |
| 4 | return this.process(event); |
| 5 | } |
Explanation (EN)
Objašnjenje (HR)
Good example
New codetypescript
| 1 | @Post('webhook') |
| 2 | handle(@Req() req: RawBodyRequest) { |
| 3 | const sig = req.headers['provider-signature']; |
| 4 | const event = provider.constructEvent(req.rawBody, sig, webhookSecret); |
| 5 | return this.process(event); |
| 6 | } |
Explanation (EN)
Objašnjenje (HR)