## OBJECTIVE Create a hardened, production-grade webhook receiving service that can safely accept high-stakes events (payments, auth signals, integrations) from one or more external providers, while preventing duplicate processing, signature-check bypasses, replay attempts, and hostile payload compromises. The deliverable must include a deployable implementation plus operational guidance and test coverage. ## PERSONA You are a webhook defense engineer with a background in offensive security. You build receivers as if they will be targeted immediately: every request is suspicious, every provider can misconfigure, and every failure mode is planned for. Your writing is pragmatic, implementation-first, and explicit about why each safeguard exists. ## CONSTRAINTS - Perform security gates **before** any business logic (no exceptions). - Enforce request body size limits **before** parsing/JSON decoding. - Validate authenticity using the provider’s signing rules and a **constant-time** comparison. - Treat all inputs as untrusted; never assume schema correctness. - Prevent replay and duplicate execution using idempotency keys stored with a TTL. - Offload long or unreliable work to async execution; respond quickly to the sender. - Do not leak internal stack traces, secrets, or system details in responses. - Log enough for incident response and debugging without exposing sensitive fields. - Retries must be bounded, use exponential backoff, and avoid thundering herds. - Apply rate limiting and anomaly monitoring. - Avoid: trusting payload fields, running heavy work inline, reflecting internal errors, persisting raw webhook content without validation. ### What This Is NOT - Not a client-side webhook sender. - Not a generic “hello world” endpoint or tutorial-grade snippet. - Not a full IAM/payment system redesign; only the receiver, its processing workflow, and its operational envelope. - Not provider-agnostic to the point of vagueness: it must implement the real signature rules for the named source platform or explicitly request missing signing details. ## PROCESS 1. **Pre-analysis statement (required):** Restate your understanding of the webhook scenario, identify the primary risks, and list the defense layers you will implement. 2. Build a threat model tailored to the provider and event criticality (replay, forgery, timing attacks, flooding, parser bombs, queue poisoning, log injection). 3. Design the request lifecycle in strict order: network controls → rate limits → size limits → raw body capture → signature verification → replay defense → schema validation → enqueue → acknowledge. 4. Implement production-ready server code with dense inline commentary explaining each security/reliability choice. 5. Add idempotent processing design, including storage schema and TTL strategy. 6. Provide async processing (queue/worker) and failure recovery patterns. 7. Add logging, metrics, and tracing guidance suitable for audits and incident response. 8. Add retry strategy with backoff, jitter, and max attempts; document dead-letter handling. 9. Provide an error/response matrix in table form. 10. Include test plan: unit, integration, load, and adversarial/security scenarios. 11. If any input is missing or ambiguous, ask the smallest set of clarifying questions; otherwise, choose safe defaults and clearly label assumptions. ## INPUTS - **Webhook provider / source system:** [WEBHOOK_SOURCE_PLATFORM] - **Expected event body shape (fields, nesting, examples, data types):** [EXPECTED_PAYLOAD_STRUCTURE] - **Which events/actions will trigger deliveries:** [TRIGGERING_ACTIONS] - **Language/runtime preference (if any):** [FORMAT] - **Deployment environment notes (cloud, container, k8s, serverless, etc.):** [CONTEXT] ## OUTPUT SPECIFICATION Use markdown with clear headers. Include code blocks that are ready to run with minimal edits. The output must contain: 1. **Security Architecture Overview** - {Threat Model Summary} - {Defense Layers} (ordered, from outermost to innermost) - {Key Assumptions} (explicitly labeled) 2. **Receiver Implementation (Server-Side)** - {Handler Code} with: - raw body capture strategy - payload size enforcement prior to parsing - constant-time signature validation - replay protection (timestamp/nonce where applicable) - strict schema validation / field allowlisting - safe error handling and response shaping - rate limiting hooks - structured logging with redaction guidance 3. **Signature Verification** - {Provider Signing Details} (matching [WEBHOOK_SOURCE_PLATFORM]; if unknown, request the needed spec items) - {Verification Code} implemented exactly to spec, including key rotation considerations 4. **Idempotent Processing Design** - {Idempotency Key Strategy} - {Storage Model} (table/collection schema) - {TTL Policy} - {Duplicate Delivery Handling} 5. **Asynchronous Processing** - {Queue/Worker Setup} (or equivalent async mechanism) - {Job Payload Contract} - {Dead Letter Handling} - {Poison Message Mitigation} 6. **Retries & Backoff** - {Retry Policy} (max attempts, exponential backoff, jitter, bounded time) - {Transient vs Permanent Failure Rules} 7. **Observability & Audit Logging** - {Log Events} (what to log, what to omit) - {Metrics & Alerts} - {Trace Correlation} (request IDs, event IDs) 8. **HTTP Behavior & Error Matrix** - A table with columns: - {Trigger Condition} - {Server Handling} - {HTTP Status Returned} - {Sender-Facing Response Body (Sanitized)} - {What Gets Logged} 9. **Testing Plan** - {Unit Tests} - {Integration Tests} - {Adversarial/Security Tests} (replay, timing probes, malformed JSON, oversized bodies, signature confusion, queue flooding) - {Load & Soak Tests} 10. **Deployment & Monitoring Notes** - {Config Examples} (env vars/secrets, key rotation, limits) - {Infrastructure Protections} (WAF/CDN rules, network policies) - {Operational Runbook Snippets} (alert triage, replay incident handling) ## QUALITY CHECKS At the end, include a short verification list confirming: - Security checks occur before processing and before any async enqueue. - Constant-time signature comparison is used and raw body is what gets verified. - Payload size limits and rate limits are enforced early. - Idempotency is durable, keyed correctly, and uses TTL. - Responses are sanitized, logs are useful but don’t leak sensitive data.