Expected Findings
- Webhook rejects events with missing or invalid `Stripe-Signature` headers.
- Comparison is constant-time (`hmac.Equal`).
- Each environment uses a distinct webhook secret.
Clean Reference
ref-webhook (Clean Reference)
Reference Stripe-style webhook handler that verifies HMAC with constant-time compare, requires the signature header, and rejects events without it.
Reference probe
Primary Flows
- Stripe webhook Returns 401 without valid signature
- Webhook policy Verification posture
Signals
Verify
if !hmac.Equal(expected, given) { return 401 }
Notes
- This scenario is a true-negative control.