Skip to content

Stripe Webhook Secret

Service Name: Stripe

Service Description: Stripe is a technology company that builds economic infrastructure for the internet. Businesses of every size use Stripe's software to accept payments and manage their businesses online.

Service Address: https://stripe.com/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the account level through Stripe Dashboard

Secret Access Scope: Webhook secrets are used to verify that webhook events sent to your endpoint are genuinely from Stripe. They allow secure communication between Stripe and your application by validating the signature of incoming webhook events.

Secret Revokement URL: https://dashboard.stripe.com/webhooks

Secret Example: whsec_1234567890abcdefghijklmnopqrstuvwxyz

Suspicious Activity Investigation Instructions:

  • Review your application logs for any unauthorized webhook processing attempts
  • Check Stripe Dashboard for unexpected webhook endpoints or configurations
  • Verify recent webhook events in the Stripe Dashboard under Developers > Webhooks > Recent events
  • Look for any failed webhook deliveries or signature verification failures
  • Monitor your application for any actions triggered by webhook events that weren't expected

Mitigation Instructions:

  • Rotate the webhook signing secret by creating a new endpoint in the Stripe

Dashboard

  • Update your application with the new webhook secret
  • Delete the compromised webhook endpoint after confirming the new one is

working

  • Review your code to ensure webhook signatures are properly verified
  • Consider implementing additional security measures like IP filtering for

webhook endpoints

  • Audit your application for any unauthorized actions that may have been

triggered by compromised webhooks