- Documentation: https://stripe.com/docs/webhooks/best-practices#endpoint-secrets
- Summary: Stripe offers payment processing software and application programming interfaces (APIs) for e-commerce websites and mobile application. It can be integrated with webhooks to communicate with external applications. Events sent by Stripe via a webhook are signed to avoid a replay attack. The key used to sign these events should remain secret. This detector aims at catching such keys.
Webhooks secrets can be issued and revoked from the dashboard dedicated page.'
In addition to signing webhook events, Stripe sends events only from a given list of IPs. Checking the origin of webhook messages can help to detect suspicious activities.
Stripe webhook secret#
Category: Payment system
High recall: True
Validity check available: False
Minimum number of matches: 1
Occurrences found for one million commits: 1.5
- type: FilenameBanlistPreValidator banlist_extensions: - ^(cs|x|p|s|r)?html5?~?$ - ^[aps]?cssc?~?$ - ^lock$ - ^mdx?~?$ - ^storyboard(c|er)?~?$ - ^xib$ banlist_filenames:  check_binaries: false- type: ContentWhitelistPreValidator patterns: - whsec_
- text: "stripe_wh_secret: whsec_VV1cfD0WOqnGPzHKBYRnnEJ0z0g4I0Am" apikey: whsec_VV1cfD0WOqnGPzHKBYRnnEJ0z0g4I0Am