Skip to main content

Stripe Webhook Secret

Description#

General#

  • Documentation: https://stripe.com/docs/webhooks/best-practices#endpoint-secrets
  • Summary: Stripe offers payment processing software and application programming interfaces (APIs) for e-commerce websites and mobile application. It can be integrated with webhooks to communicate with external applications. Events sent by Stripe via a webhook are signed to avoid a replay attack. The key used to sign these events should remain secret. This detector aims at catching such keys.

Revoke the secret#

Webhooks secrets can be issued and revoked from the dashboard dedicated page.'

Check for suspicious activity#

In addition to signing webhook events, Stripe sends events only from a given list of IPs. Checking the origin of webhook messages can help to detect suspicious activities.

Details for Stripe webhook secret#

  • Category: Payment system

  • Company: Stripe

  • High recall: True

  • Validity check available: False

  • Minimum number of matches: 1

  • Occurrences found for one million commits: 1.5

  • Prefixed: True

  • PreValidators:

- type: FilenameBanlistPreValidator  banlist_extensions:  - ^(cs|x|p|s|r)?html5?~?$  - ^[aps]?cssc?~?$  - ^lock$  - ^mdx?~?$  - ^storyboard(c|er)?~?$  - ^xib$  banlist_filenames: []  check_binaries: false- type: ContentWhitelistPreValidator  patterns:  - whsec_

Examples#

- text: "stripe_wh_secret: whsec_VV1cfD0WOqnGPzHKBYRnnEJ0z0g4I0Am"  apikey: whsec_VV1cfD0WOqnGPzHKBYRnnEJ0z0g4I0Am