Skip to main content

Stripe Webhook Secret

Description#

General#

  • Documentation: https://stripe.com/docs/webhooks/best-practices#endpoint-secrets
  • Summary: Stripe offers payment processing software and application programming interfaces (APIs) for e-commerce websites and mobile application. It can be integrated with webhooks to communicate with external applications. Events sent by Stripe via a webhook are signed to avoid a replay attack. The key used to sign these events should remain secret. This detector aims at catching such keys.

Revoke the secret#

Webhooks secrets can be issued and revoked from the dashboard dedicated page.'

Check for suspicious activity#

In addition to signing webhook events, Stripe sends events only from a given list of IPs. Checking the origin of webhook messages can help to detect suspicious activities.

Details for Stripe webhook secret#

  • Family: Api

  • Category: Payment system

  • Company: Stripe

  • High recall: True

  • Validity check available: False

  • Minimum number of matches: 1

  • Occurrences found for one million commits: 8.52

  • Prefixed: True

  • PreValidators:

- type: ContentWhitelistPreValidator  patterns:  - whsec_

Examples#

- text: "stripe_wh_secret: whsec_VV1cfC0WFqnTPzHIAYUnnDS0t9g8I3Az"  apikey: whsec_VV1cfC0WFqnTPzHIAYUnnDS0t9g8I3Az
- text: "stripe_wh_secret: whsec_b2e1ebdcbdaf9ea3f983cf401e6e6cc1318cdadbecca663b0c8c0dc7f4ad7f87"  apikey: whsec_b2e1ebdcbdaf9ea3f983cf401e6e6cc1318cdadbecca663b0c8c0dc7f4ad7f87