Webhook Security in Next.js: Signatures, Idempotency, and Avoiding Common Mistakes

Webhooks are one of the most common attack surfaces in developer applications. They receive unauthenticated POST requests from the internet, execute code based on that input, and often trigger irreversible actions like sending emails or processing payments. Here's how to secure them properly. The Core Risk An unsecured webhook endpoint accepts requests from anyone. An attacker who discovers your Stripe webhook URL can send fake payment events and trigger product delivery without paying. An attacker who finds your GitHub webhook can trigger deployments at will. Webhook security has three layers: authentication, validation, and idempotency. Layer 1: Verify the Signature Every serious webhook provider (Stripe, GitHub, Twilio, Shopify) signs their requests with a secret. Always verify that signature before doing anything with the payload. Stripe Webhooks // src/app/api/webhooks/stripe/route.ts import { NextRequest , NextResponse } from " next/server " import Stripe from " stripe " const st