Summary
The webhook endpoint at POST /webhook/{token} authenticates callers only by the project token in the URL. It does not verify that the request was actually signed by AWS SNS. Anyone who discovers a project's token can inject arbitrary fake events.
Implementation
Create app/Http/Middleware/ValidateSnsSignature.php:
- Read
x-amz-sns-message-type and x-amz-sns-message-signature + x-amz-sns-signing-cert-url headers
- Validate the
SigningCertURL is from an amazonaws.com domain (prevents certificate substitution attacks)
- Fetch the certificate (cache it — AWS rotates certs rarely)
- Build the string-to-sign per AWS SNS signature spec
- Verify with
openssl_verify
- Return
403 on failure
Apply the middleware only to the webhook route in routes/web.php.
Note: SubscriptionConfirmation messages must also be verified — the signed fields differ slightly from Notification messages. Refer to AWS docs for both message type specifications.
Acceptance Criteria
Summary
The webhook endpoint at
POST /webhook/{token}authenticates callers only by the project token in the URL. It does not verify that the request was actually signed by AWS SNS. Anyone who discovers a project's token can inject arbitrary fake events.Implementation
Create
app/Http/Middleware/ValidateSnsSignature.php:x-amz-sns-message-typeandx-amz-sns-message-signature+x-amz-sns-signing-cert-urlheadersSigningCertURLis from anamazonaws.comdomain (prevents certificate substitution attacks)openssl_verify403on failureApply the middleware only to the webhook route in
routes/web.php.Note:
SubscriptionConfirmationmessages must also be verified — the signed fields differ slightly fromNotificationmessages. Refer to AWS docs for both message type specifications.Acceptance Criteria
403