SEC006errorFree tier

webhook-security-bypass

Webhook signature verification should never be skipped

Applies to: JavaScript, Python, TypeScript

Why this matters

Webhook endpoints receive data from external services (Stripe, GitHub, etc.). Without signature verification, attackers can forge webhook payloads to trigger unauthorized actions like fake payments or deployments. Patterns that skip verification 'for development' often accidentally ship to production.

Catch it before it ships

pip install stablestack # or: npx stablestackstablestack # scans your project, SEC006 includedstablestack explain SEC006

False positive in your codebase? Suppress a single line with # noqa: SEC006