Skip to content
Stoma

Webhook Firewall

Use Case

Section titled “Use Case”

Accept third-party webhooks safely by layering authentication, size limits, and threat checks before your internal handler/service sees the request.

Recipe

Section titled “Recipe”
{
  path: "/webhooks/provider-a",
  methods: ["POST"],
  pipeline: {
    policies: [
      apiKeyAuth({
        headerName: "x-provider-signature",
        validate: (sig) => verifySignature(sig),
      }),
      requestLimit({ maxBytes: 128_000 }),
      jsonThreatProtection({ maxDepth: 10, maxArraySize: 50 }),
      regexThreatProtection({
        patterns: [
          { regex: "<script", targets: ["body"] },
        ],
      }),
      rateLimit({ max: 120 }),
    ],
    upstream: {
      type: "service-binding",
      service: "WEBHOOK_SERVICE",
    },
  },
}

Why it works

Section titled “Why it works”
  • Rejects spoofed senders early.
  • Rejects malformed/oversized payloads before app logic.
  • Contains abuse with bounded request rate.