Detector of The Month – Stripe webhook secret, April 2022
In the Detector of the month series, we feature our favorite projects or services GitGuardian’s secrets detection engine supports. This month, our engineering team shipped a specific detector for Stripe webhook secrets!
What does Stripe do?
Stripe's software and APIs help millions of businesses of all sizes – from startups to large enterprises – accept payments, send payouts, and manage their businesses online. Their hero tagline says it all, Stripe offers payment infrastructure for the internet.
Keep Stripe webhook signing secrets protected with GitGuardian!
Secrets sprawl is still a hot issue for developers and security engineers. Last year, our monitoring of public GitHub revealed a two-fold increase in the number of leaked credentials, with more than 6 million exposed throughout 2021! In other words, 3 commits out of 1,000 exposed at least one secret.
At GitGuardian, we’re committed to helping developers reduce the risk of exposing their secrets, and here’s how we’re doing it:
- We notify developers whenever they misstep and leave plain text credentials in git repositories, thanks to our library of 350+ built-in specific and generic detectors.
- We share with developers the best practices around code security and secrets management and how to implement them at both the individual and team levels.
The risks of secrets-in-code can never be overstated, especially when it comes to compromised credentials or tokens with access to your payments infrastructure. Stripe sends events to your servers via a webhook to confirm operations performed by customers on your website (e.g. payments). These events are signed using a webhook secret key to avoid replay attacks and should be verified to confirm their origin. The key used to sign these events should of course remain secret.
How to handle hardcoded Stripe webhook secrets?
Here’s what to do when you receive an alert from GitGuardian mentioning leaked Stripe webhook secrets:
- Understand the implications of the incident. A bad situation can be made worse if a secret is revoked without understanding how that secret is currently being used.
- Rotate and revoke the secret! Webhooks secrets can be issued and revoked directly from your Stripe dashboard.
- Improve your secrets management. Use a dotenv file to hide sensitive environment variables or look for alternative secrets management solutions to avoid hardcoding database credentials in the future.
- Optional – Remove all evidence from your git history. Rewrite the git history or delete the entire repository. Such an operation is not trivial and needs to be discussed with your team members.
- Review access logs. Check for suspicious activity in the log data of your services impacted by the leaked credentials.
Learn more about how to verify events sent by Stripe to your webhook endpoints in the official documentation. Also, take a look at the best practices for using webhooks as recommended by Stripe in this guide.
What about other secrets?
GitGuardian helps developers keep 350+ types of secrets out of source code. GitGuardian’s automated secrets detection and remediation solution secure every step of the development lifecycle, from code to cloud:
- On developer workstations with git hooks (pre-commit and pre-push);
- On code sharing platforms like GitHub, GitLab, and Bitbucket;
- In CI environments (Circle CI, Travis CI, Jenkins CI, GitHub Actions, and many more);
- In Docker images.