Skip to content

[gateway] Reject default placeholder GITHUB_WEBHOOK_SECRET in production #32

Open
#48
Open
[gateway] Reject default placeholder GITHUB_WEBHOOK_SECRET in production#32
#48
Labels
complexity:lowTrivial to low effortgatewayGitHub webhook gateway servicehelp wantedExtra attention is neededphase-3Phase 3: Production HardeningsecuritySecurity hardening

Description

@yinkscss
yinkscss
opened on Jun 18, 2026

Context

.env.example uses change-me-to-github-webhook-secret. Nothing prevents deploying with default secrets.

Problem

Production deployments with guessable webhook secrets allow forged merge events.

Proposed scope

  • Add WAVEFLOW_ENV=production or detect Render env to enforce secret strength
  • Fail startup when secret matches known placeholders or is shorter than minimum length
  • Document required secret entropy in security checklist

Acceptance criteria

  • Placeholder secret fails startup in production mode
  • Development mode still allows example secret
  • Error message explains remediation
  • security-checklist.md updated

References

  • .env.example
  • crates/shared/src/config.rs
  • crates/gateway/src/main.rs
  • docs/security-checklist.md

Metadata

Metadata

Assignees

No one assigned

    Labels

    complexity:lowTrivial to low effortgatewayGitHub webhook gateway servicehelp wantedExtra attention is neededphase-3Phase 3: Production HardeningsecuritySecurity hardening

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions