Skip to content

Add webhook URL validation schema #91

Description

@therealjhay

Description: Webhook URLs need validation — must be HTTPS in production, must not be localhost, must have a reasonable length. Currently they're validated as plain strings.

Requirements:

  • Define WebhookUrlSchema with URL validation, HTTPS requirement (configurable by env)
  • Reject localhost, 127.0.0.1, and private IPs in production
  • Limit URL length to 2048 characters
  • Export for use in merchant settings and webhook subscription schemas

Suggested execution steps:

  1. Create WebhookUrlSchema = z.string().url().max(2048)
  2. Add .refine((url) => !NODE_ENV_PROD || url.startsWith('https://'), 'Webhook URL must use HTTPS in production')
  3. Add IP range checks for private/reserved addresses

Example commit message:

feat(validation): add webhook URL validation schema with security checks

WebhookUrlSchema validates URL format, enforces HTTPS in production,
and rejects localhost/private IPs to prevent SSRF.

Metadata

Metadata

Assignees

Type

No type
No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions