Skip to content

Webhook endpoint has no rate limiting #160

Open
#167
Open
Webhook endpoint has no rate limiting#160
#167
Assignees
shivampilania07
Labels
GSSOC26GirlScript Summer of Code 2026backendBackend / API / DB relatedbugSomething isn't workinglevel:intermediateIntermediate level difficultytype:securitySecurity fix or improvement
@Ayush-Patel-56

Description

@Ayush-Patel-56
Ayush-Patel-56
opened on May 18, 2026

Problem

/api/webhooks/github accepts POST requests with no rate limiting. Anyone who finds the endpoint can spam it and flood the Inngest queue.

Fix

Add rate limiting using the existing rateLimit() utility before processing the payload:

await rateLimit({ namespace: 'webhook', key: ip, limit: 100, windowSec: 60 });

File: src/app/api/webhooks/github/route.ts

Signature verification already exists - this is just an extra layer on top.

Metadata

Metadata

Assignees

Labels

GSSOC26GirlScript Summer of Code 2026backendBackend / API / DB relatedbugSomething isn't workinglevel:intermediateIntermediate level difficultytype:securitySecurity fix or improvement

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions