1:"$Sreact.fragment"
2:I[75473,["/_next/static/chunks/316a3a63422f35de.js"],"default"]
3:I[78515,["/_next/static/chunks/316a3a63422f35de.js"],"default"]
4:I[30687,["/_next/static/chunks/fd0661f1506dcbc6.js"],"Toaster"]
5:I[61076,["/_next/static/chunks/fd0661f1506dcbc6.js"],"Analytics"]
7:I[47913,["/_next/static/chunks/316a3a63422f35de.js"],"OutletBoundary"]
8:"$Sreact.suspense"
a:I[47913,["/_next/static/chunks/316a3a63422f35de.js"],"ViewportBoundary"]
c:I[47913,["/_next/static/chunks/316a3a63422f35de.js"],"MetadataBoundary"]
e:I[90849,["/_next/static/chunks/316a3a63422f35de.js"],"default"]
:HL["/_next/static/chunks/609ea7bc18d0d15f.css","style"]
:HL["/_next/static/chunks/93b606aa9fdccd13.css","style"]
:HL["/_next/static/media/797e433ab948586e-s.p.479bea2b.woff2","font",{"crossOrigin":"","type":"font/woff2"}]
:HL["/_next/static/media/caa3a2e1cccd8315-s.p.3b6cae6d.woff2","font",{"crossOrigin":"","type":"font/woff2"}]
0:{"P":null,"b":"TlpKRvbES4zzM7LeczAM7","c":["","blog","hmac-empty-secret-bypass"],"q":"","i":false,"f":[[["",{"children":["blog",{"children":[["slug","hmac-empty-secret-bypass","d"],{"children":["__PAGE__",{}]}]}]},"$undefined","$undefined",true],[["$","$1","c",{"children":[[["$","link","0",{"rel":"stylesheet","href":"/_next/static/chunks/609ea7bc18d0d15f.css","precedence":"next","crossOrigin":"$undefined","nonce":"$undefined"}],["$","link","1",{"rel":"stylesheet","href":"/_next/static/chunks/93b606aa9fdccd13.css","precedence":"next","crossOrigin":"$undefined","nonce":"$undefined"}],["$","script","script-0",{"src":"/_next/static/chunks/fd0661f1506dcbc6.js","async":true,"nonce":"$undefined"}]],["$","html",null,{"lang":"en","children":[["$","head",null,{"children":[["$","script",null,{"async":true,"src":"https://www.googletagmanager.com/gtag/js?id=AW-18009878040"}],["$","script",null,{"dangerouslySetInnerHTML":{"__html":"\n          window.dataLayer = window.dataLayer || [];\n          function gtag(){dataLayer.push(arguments);}\n          gtag('js', new Date());\n          gtag('config', 'AW-18009878040');\n          gtag('config', 'G-W3XKYXV2SG');\n\n          // Persist UTM and gclid params to sessionStorage for cross-page tracking\n          (function() {\n            var params = new URLSearchParams(window.location.search);\n            var keys = ['utm_source','utm_medium','utm_campaign','utm_content','utm_term','gclid'];\n            keys.forEach(function(k) {\n              var v = params.get(k);\n              if (v) sessionStorage.setItem(k, v);\n            });\n          })();\n        "}}]]}],["$","body",null,{"className":"font-sans antialiased","children":[["$","$L2",null,{"parallelRouterKey":"children","error":"$undefined","errorStyles":"$undefined","errorScripts":"$undefined","template":["$","$L3",null,{}],"templateStyles":"$undefined","templateScripts":"$undefined","notFound":[[["$","title",null,{"children":"404: This page could not be found."}],["$","div",null,{"style":{"fontFamily":"system-ui,\"Segoe UI\",Roboto,Helvetica,Arial,sans-serif,\"Apple Color Emoji\",\"Segoe UI Emoji\"","height":"100vh","textAlign":"center","display":"flex","flexDirection":"column","alignItems":"center","justifyContent":"center"},"children":["$","div",null,{"children":[["$","style",null,{"dangerouslySetInnerHTML":{"__html":"body{color:#000;background:#fff;margin:0}.next-error-h1{border-right:1px solid rgba(0,0,0,.3)}@media (prefers-color-scheme:dark){body{color:#fff;background:#000}.next-error-h1{border-right:1px solid rgba(255,255,255,.3)}}"}}],["$","h1",null,{"className":"next-error-h1","style":{"display":"inline-block","margin":"0 20px 0 0","padding":"0 23px 0 0","fontSize":24,"fontWeight":500,"verticalAlign":"top","lineHeight":"49px"},"children":404}],["$","div",null,{"style":{"display":"inline-block"},"children":["$","h2",null,{"style":{"fontSize":14,"fontWeight":400,"lineHeight":"49px","margin":0},"children":"This page could not be found."}]}]]}]}]],[]],"forbidden":"$undefined","unauthorized":"$undefined"}],["$","$L4",null,{"position":"top-center","richColors":true,"toastOptions":{"style":{"background":"var(--popover)","color":"var(--popover-foreground)","border":"1px solid var(--border)"}}}],["$","$L5",null,{}]]}]]}]]}],{"children":[["$","$1","c",{"children":[null,["$","$L2",null,{"parallelRouterKey":"children","error":"$undefined","errorStyles":"$undefined","errorScripts":"$undefined","template":["$","$L3",null,{}],"templateStyles":"$undefined","templateScripts":"$undefined","notFound":"$undefined","forbidden":"$undefined","unauthorized":"$undefined"}]]}],{"children":[["$","$1","c",{"children":[null,["$","$L2",null,{"parallelRouterKey":"children","error":"$undefined","errorStyles":"$undefined","errorScripts":"$undefined","template":["$","$L3",null,{}],"templateStyles":"$undefined","templateScripts":"$undefined","notFound":"$undefined","forbidden":"$undefined","unauthorized":"$undefined"}]]}],{"children":[["$","$1","c",{"children":["$L6",[["$","script","script-0",{"src":"/_next/static/chunks/94245cbda44972fe.js","async":true,"nonce":"$undefined"}],["$","script","script-1",{"src":"/_next/static/chunks/af778fff4a0f4be6.js","async":true,"nonce":"$undefined"}],["$","script","script-2",{"src":"/_next/static/chunks/b096b037d08e2f31.js","async":true,"nonce":"$undefined"}]],["$","$L7",null,{"children":["$","$8",null,{"name":"Next.MetadataOutlet","children":"$@9"}]}]]}],{},null,false,false]},null,false,false]},null,false,false]},null,false,false],["$","$1","h",{"children":[null,["$","$La",null,{"children":"$Lb"}],["$","div",null,{"hidden":true,"children":["$","$Lc",null,{"children":["$","$8",null,{"name":"Next.Metadata","children":"$Ld"}]}]}],["$","meta",null,{"name":"next-size-adjust","content":""}]]}],false]],"m":"$undefined","G":["$e",[]],"S":true}
f:I[15579,["/_next/static/chunks/fd0661f1506dcbc6.js","/_next/static/chunks/94245cbda44972fe.js","/_next/static/chunks/af778fff4a0f4be6.js","/_next/static/chunks/b096b037d08e2f31.js"],"Navigation"]
10:I[3013,["/_next/static/chunks/fd0661f1506dcbc6.js","/_next/static/chunks/94245cbda44972fe.js","/_next/static/chunks/af778fff4a0f4be6.js","/_next/static/chunks/b096b037d08e2f31.js"],""]
:HL["/blog/posts/hmac-empty-secret-bypass/hero.jpg","image"]
:HL["/blog/posts/logo.png","image"]
6:[["$","$Lf",null,{}],["$","main",null,{"className":"pt-20 md:pt-24","children":["$","article",null,{"children":[["$","header",null,{"className":"border-b border-border","children":["$","div",null,{"className":"container mx-auto px-6 py-14 md:py-20","children":[["$","$L10",null,{"href":"/blog","className":"mb-8 inline-flex items-center text-sm font-medium text-muted-foreground transition-colors hover:text-foreground","children":[["$","svg",null,{"ref":"$undefined","xmlns":"http://www.w3.org/2000/svg","width":24,"height":24,"viewBox":"0 0 24 24","fill":"none","stroke":"currentColor","strokeWidth":2,"strokeLinecap":"round","strokeLinejoin":"round","className":"lucide lucide-arrow-left mr-2 h-4 w-4","aria-hidden":"true","children":[["$","path","1l729n",{"d":"m12 19-7-7 7-7"}],["$","path","x3x0zl",{"d":"M19 12H5"}],"$undefined"]}],"Blog"]}],["$","div",null,{"className":"grid gap-8 md:grid-cols-[1fr_0.9fr] md:items-start","children":[["$","div",null,{"className":"max-w-3xl","children":[["$","div",null,{"className":"mb-5 flex flex-wrap items-center gap-3 text-sm text-muted-foreground","children":[["$","span",null,{"className":"rounded-md border border-primary/40 bg-primary/10 px-2.5 py-1 text-primary","children":"Security"}],["$","span",null,{"children":"2026-W20"}],["$","span",null,{"aria-hidden":"true","children":"/"}],["$","span",null,{"children":"4 min read"}],[["$","span",null,{"aria-hidden":"true","children":"/"}],["$","span",null,{"children":["by ",["$","span",null,{"className":"font-medium text-foreground","children":"delve"}]]}]]]}],["$","h1",null,{"className":"text-4xl font-bold leading-tight text-balance md:text-6xl","children":"The Empty-Secret HMAC Bypass"}],["$","p",null,{"className":"mt-6 text-lg leading-relaxed text-muted-foreground md:text-xl","children":"An HMAC validator that skips checks when the secret is missing isn't lenient — it's wide open."}]]}],["$","div",null,{"className":"overflow-hidden rounded-lg border border-border bg-card","children":["$","div",null,{"className":"relative aspect-[16/9] overflow-hidden","children":[null,["$","img",null,{"src":"/blog/posts/hmac-empty-secret-bypass/hero.jpg","alt":"A heavy steel padlock lying open on a dark wooden surface with no key visible, hard overhead light casting a sharp shadow.","className":"h-full w-full object-cover"}],["$","img",null,{"src":"/blog/posts/logo.png","alt":"","aria-hidden":"true","className":"pointer-events-none absolute right-4 top-4 h-[50px] w-[50px] mix-blend-screen"}]]}]}]]}]]}]}],["$","div",null,{"className":"container mx-auto px-6 py-12 md:py-16","children":["$","div",null,{"className":"grid gap-10 lg:grid-cols-[minmax(0,1fr)_280px] lg:items-start","children":[["$","div",null,{"className":"max-w-3xl text-muted-foreground","children":[[["$","h2","h2-0",{"className":"mt-12 text-2xl font-semibold leading-snug text-foreground first:mt-0","children":"The problem"}],"\n",["$","p","p-0",{"className":"mt-4 text-base leading-8 md:text-lg first:mt-0 first:text-xl first:leading-relaxed first:text-foreground md:first:text-2xl","children":"Webhook validation via HMAC-SHA256 is standard practice. You read the shared secret from an environment variable, compute the expected signature, and compare against the header the sender provides. The implementation looks correct:"}],"\n",["$","div","pre-0",{"style":{"background":"hsl(220, 13%, 18%)","color":"hsl(220, 14%, 71%)","textShadow":"0 1px rgba(0, 0, 0, 0.3)","fontFamily":"\"Fira Code\", \"Fira Mono\", Menlo, Consolas, \"DejaVu Sans Mono\", monospace","direction":"ltr","textAlign":"left","whiteSpace":"pre","wordSpacing":"normal","wordBreak":"normal","lineHeight":"1.5","MozTabSize":"2","OTabSize":"2","tabSize":"2","WebkitHyphens":"none","MozHyphens":"none","msHyphens":"none","hyphens":"none","padding":"1rem","margin":"0.5em 0","overflow":"auto","borderRadius":"0.5rem","marginTop":"1.25rem","marginBottom":0,"border":"1px solid hsl(var(--border))","fontSize":"0.875rem"},"children":["$","code",null,{"style":{"whiteSpace":"pre","fontFamily":"ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, Liberation Mono, Courier New, monospace"},"children":[false,["$L11","$L12","$L13","$L14","$L15","$L16","$L17","$L18","$L19","$L1a","$L1b","$L1c","$L1d","$L1e","\n","$L1f","$L20","$L21","$L22","$L23","$L24","$L25","$L26","$L27","$L28","$L29","$L2a","$L2b","$L2c","$L2d","$L2e","$L2f","$L30","$L31","$L32","$L33","$L34","$L35","$L36","$L37","$L38","$L39","$L3a","$L3b","$L3c","$L3d","$L3e","$L3f","$L40","$L41","$L42","$L43","$L44","$L45","$L46","$L47","$L48","$L49","$L4a","$L4b","$L4c","$L4d","$L4e","$L4f","$L50","$L51","$L52","$L53","$L54","$L55","$L56","$L57","$L58","$L59","$L5a","$L5b","$L5c","$L5d","$L5e","$L5f","$L60","$L61","\n","$L62","$L63","$L64","$L65","$L66","$L67","$L68","$L69","$L6a","$L6b","$L6c","$L6d","$L6e","$L6f","$L70","$L71","$L72","$L73","$L74","$L75","$L76","$L77","$L78","$L79","$L7a","$L7b","$L7c","$L7d","$L7e","$L7f","$L80","$L81","$L82","$L83","$L84","$L85","$L86","$L87","$L88","$L89","$L8a","$L8b","$L8c","$L8d","$L8e","$L8f","$L90","$L91","$L92","$L93","$L94","$L95","$L96","$L97","$L98","$L99","$L9a","$L9b","$L9c","$L9d","$L9e","$L9f","$La0","$La1","$La2","$La3","$La4","$La5","$La6","$La7"]]}]}],"\n","$La8","\n","$La9","\n","$Laa","\n","$Lab","\n","$Lac","\n","$Lad","\n","$Lae","\n","$Laf","\n","$Lb0","\n","$Lb1","\n","$Lb2"],"$Lb3",null]}],"$Lb4"]}]}]]}]}],"$Lb5"]
121:I[41451,["/_next/static/chunks/fd0661f1506dcbc6.js","/_next/static/chunks/94245cbda44972fe.js","/_next/static/chunks/af778fff4a0f4be6.js","/_next/static/chunks/b096b037d08e2f31.js"],"Footer"]
11:["$","span","code-segment-0",{"className":"$undefined","style":{},"children":["WEBHOOK_SECRET "]}]
12:["$","span","code-segment-1",{"className":"token","style":{"color":"hsl(207, 82%, 66%)"},"children":["="]}]
13:["$","span","code-segment-2",{"className":"$undefined","style":{},"children":[" os"]}]
14:["$","span","code-segment-3",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":["."]}]
15:["$","span","code-segment-4",{"className":"$undefined","style":{},"children":["environ"]}]
16:["$","span","code-segment-5",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":["."]}]
17:["$","span","code-segment-6",{"className":"$undefined","style":{},"children":["get"]}]
18:["$","span","code-segment-7",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":["("]}]
19:["$","span","code-segment-8",{"className":"token","style":{"color":"hsl(95, 38%, 62%)"},"children":["\"WEBHOOK_SECRET\""]}]
1a:["$","span","code-segment-9",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":[","]}]
1b:["$","span","code-segment-10",{"className":"$undefined","style":{},"children":[" "]}]
1c:["$","span","code-segment-11",{"className":"token","style":{"color":"hsl(95, 38%, 62%)"},"children":["\"\""]}]
1d:["$","span","code-segment-12",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":[")"]}]
1e:["$","span","code-segment-13",{"className":"$undefined","style":{},"children":["\n"]}]
1f:["$","span","code-segment-15",{"className":"$undefined","style":{},"children":[""]}]
20:["$","span","code-segment-16",{"className":"token","style":{"color":"hsl(286, 60%, 67%)"},"children":["def"]}]
21:["$","span","code-segment-17",{"className":"$undefined","style":{},"children":[" "]}]
22:["$","span","code-segment-18",{"className":"token","style":{"color":"hsl(207, 82%, 66%)"},"children":["verify_signature"]}]
23:["$","span","code-segment-19",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":["("]}]
24:["$","span","code-segment-20",{"className":"$undefined","style":{},"children":["raw_body"]}]
25:["$","span","code-segment-21",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":[":"]}]
26:["$","span","code-segment-22",{"className":"$undefined","style":{},"children":[" "]}]
27:["$","span","code-segment-23",{"className":"token","style":{"color":"hsl(95, 38%, 62%)"},"children":["bytes"]}]
28:["$","span","code-segment-24",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":[","]}]
29:["$","span","code-segment-25",{"className":"$undefined","style":{},"children":[" header_value"]}]
2a:["$","span","code-segment-26",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":[":"]}]
2b:["$","span","code-segment-27",{"className":"$undefined","style":{},"children":[" "]}]
2c:["$","span","code-segment-28",{"className":"token","style":{"color":"hsl(95, 38%, 62%)"},"children":["str"]}]
2d:["$","span","code-segment-29",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":[")"]}]
2e:["$","span","code-segment-30",{"className":"$undefined","style":{},"children":[" "]}]
2f:["$","span","code-segment-31",{"className":"token","style":{"color":"hsl(207, 82%, 66%)"},"children":["-"]}]
30:["$","span","code-segment-32",{"className":"token","style":{"color":"hsl(207, 82%, 66%)"},"children":[">"]}]
31:["$","span","code-segment-33",{"className":"$undefined","style":{},"children":[" "]}]
32:["$","span","code-segment-34",{"className":"token","style":{"color":"hsl(95, 38%, 62%)"},"children":["bool"]}]
33:["$","span","code-segment-35",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":[":"]}]
34:["$","span","code-segment-36",{"className":"$undefined","style":{},"children":["\n"]}]
35:["$","span","code-segment-37",{"className":"$undefined","style":{},"children":["    expected "]}]
36:["$","span","code-segment-38",{"className":"token","style":{"color":"hsl(207, 82%, 66%)"},"children":["="]}]
37:["$","span","code-segment-39",{"className":"$undefined","style":{},"children":[" "]}]
38:["$","span","code-segment-40",{"className":"token","style":{"color":"hsl(95, 38%, 62%)"},"children":["\"sha256=\""]}]
39:["$","span","code-segment-41",{"className":"$undefined","style":{},"children":[" "]}]
3a:["$","span","code-segment-42",{"className":"token","style":{"color":"hsl(207, 82%, 66%)"},"children":["+"]}]
3b:["$","span","code-segment-43",{"className":"$undefined","style":{},"children":[" hmac"]}]
3c:["$","span","code-segment-44",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":["."]}]
3d:["$","span","code-segment-45",{"className":"$undefined","style":{},"children":["new"]}]
3e:["$","span","code-segment-46",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":["("]}]
3f:["$","span","code-segment-47",{"className":"$undefined","style":{},"children":["\n"]}]
40:["$","span","code-segment-48",{"className":"$undefined","style":{},"children":["        WEBHOOK_SECRET"]}]
41:["$","span","code-segment-49",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":["."]}]
42:["$","span","code-segment-50",{"className":"$undefined","style":{},"children":["encode"]}]
43:["$","span","code-segment-51",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":["("]}]
44:["$","span","code-segment-52",{"className":"token","style":{"color":"hsl(95, 38%, 62%)"},"children":["\"ascii\""]}]
45:["$","span","code-segment-53",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":[")"]}]
46:["$","span","code-segment-54",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":[","]}]
47:["$","span","code-segment-55",{"className":"$undefined","style":{},"children":["\n"]}]
48:["$","span","code-segment-56",{"className":"$undefined","style":{},"children":["        raw_body"]}]
49:["$","span","code-segment-57",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":[","]}]
4a:["$","span","code-segment-58",{"className":"$undefined","style":{},"children":["\n"]}]
4b:["$","span","code-segment-59",{"className":"$undefined","style":{},"children":["        hashlib"]}]
4c:["$","span","code-segment-60",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":["."]}]
4d:["$","span","code-segment-61",{"className":"$undefined","style":{},"children":["sha256"]}]
4e:["$","span","code-segment-62",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":[","]}]
4f:["$","span","code-segment-63",{"className":"$undefined","style":{},"children":["\n"]}]
50:["$","span","code-segment-64",{"className":"$undefined","style":{},"children":["    "]}]
51:["$","span","code-segment-65",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":[")"]}]
52:["$","span","code-segment-66",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":["."]}]
53:["$","span","code-segment-67",{"className":"$undefined","style":{},"children":["hexdigest"]}]
54:["$","span","code-segment-68",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":["("]}]
55:["$","span","code-segment-69",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":[")"]}]
56:["$","span","code-segment-70",{"className":"$undefined","style":{},"children":["\n"]}]
57:["$","span","code-segment-71",{"className":"$undefined","style":{},"children":["    "]}]
58:["$","span","code-segment-72",{"className":"token","style":{"color":"hsl(286, 60%, 67%)"},"children":["return"]}]
59:["$","span","code-segment-73",{"className":"$undefined","style":{},"children":[" hmac"]}]
5a:["$","span","code-segment-74",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":["."]}]
5b:["$","span","code-segment-75",{"className":"$undefined","style":{},"children":["compare_digest"]}]
5c:["$","span","code-segment-76",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":["("]}]
5d:["$","span","code-segment-77",{"className":"$undefined","style":{},"children":["header_value"]}]
5e:["$","span","code-segment-78",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":[","]}]
5f:["$","span","code-segment-79",{"className":"$undefined","style":{},"children":[" expected"]}]
60:["$","span","code-segment-80",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":[")"]}]
61:["$","span","code-segment-81",{"className":"$undefined","style":{},"children":["\n"]}]
62:["$","span","code-segment-83",{"className":"$undefined","style":{},"children":[""]}]
63:["$","span","code-segment-84",{"className":"token decorator annotation","style":{"color":"hsl(220, 14%, 71%)"},"children":["@app"]}]
64:["$","span","code-segment-85",{"className":"token decorator annotation","style":{"color":"hsl(220, 14%, 71%)"},"children":["."]}]
65:["$","span","code-segment-86",{"className":"token decorator annotation","style":{"color":"hsl(220, 14%, 71%)"},"children":["post"]}]
66:["$","span","code-segment-87",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":["("]}]
67:["$","span","code-segment-88",{"className":"token","style":{"color":"hsl(95, 38%, 62%)"},"children":["\"/webhooks/github\""]}]
68:["$","span","code-segment-89",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":[")"]}]
69:["$","span","code-segment-90",{"className":"$undefined","style":{},"children":["\n"]}]
6a:["$","span","code-segment-91",{"className":"$undefined","style":{},"children":[""]}]
6b:["$","span","code-segment-92",{"className":"token","style":{"color":"hsl(286, 60%, 67%)"},"children":["async"]}]
6c:["$","span","code-segment-93",{"className":"$undefined","style":{},"children":[" "]}]
6d:["$","span","code-segment-94",{"className":"token","style":{"color":"hsl(286, 60%, 67%)"},"children":["def"]}]
6e:["$","span","code-segment-95",{"className":"$undefined","style":{},"children":[" "]}]
6f:["$","span","code-segment-96",{"className":"token","style":{"color":"hsl(207, 82%, 66%)"},"children":["webhook"]}]
70:["$","span","code-segment-97",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":["("]}]
71:["$","span","code-segment-98",{"className":"$undefined","style":{},"children":["request"]}]
72:["$","span","code-segment-99",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":[":"]}]
73:["$","span","code-segment-100",{"className":"$undefined","style":{},"children":[" Request"]}]
74:["$","span","code-segment-101",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":[")"]}]
75:["$","span","code-segment-102",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":[":"]}]
76:["$","span","code-segment-103",{"className":"$undefined","style":{},"children":["\n"]}]
77:["$","span","code-segment-104",{"className":"$undefined","style":{},"children":["    raw "]}]
78:["$","span","code-segment-105",{"className":"token","style":{"color":"hsl(207, 82%, 66%)"},"children":["="]}]
79:["$","span","code-segment-106",{"className":"$undefined","style":{},"children":[" "]}]
7a:["$","span","code-segment-107",{"className":"token","style":{"color":"hsl(286, 60%, 67%)"},"children":["await"]}]
7b:["$","span","code-segment-108",{"className":"$undefined","style":{},"children":[" request"]}]
7c:["$","span","code-segment-109",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":["."]}]
7d:["$","span","code-segment-110",{"className":"$undefined","style":{},"children":["body"]}]
7e:["$","span","code-segment-111",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":["("]}]
7f:["$","span","code-segment-112",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":[")"]}]
80:["$","span","code-segment-113",{"className":"$undefined","style":{},"children":["\n"]}]
81:["$","span","code-segment-114",{"className":"$undefined","style":{},"children":["    sig "]}]
82:["$","span","code-segment-115",{"className":"token","style":{"color":"hsl(207, 82%, 66%)"},"children":["="]}]
83:["$","span","code-segment-116",{"className":"$undefined","style":{},"children":[" request"]}]
84:["$","span","code-segment-117",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":["."]}]
85:["$","span","code-segment-118",{"className":"$undefined","style":{},"children":["headers"]}]
86:["$","span","code-segment-119",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":["."]}]
87:["$","span","code-segment-120",{"className":"$undefined","style":{},"children":["get"]}]
88:["$","span","code-segment-121",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":["("]}]
89:["$","span","code-segment-122",{"className":"token","style":{"color":"hsl(95, 38%, 62%)"},"children":["\"x-hub-signature-256\""]}]
8a:["$","span","code-segment-123",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":[","]}]
8b:["$","span","code-segment-124",{"className":"$undefined","style":{},"children":[" "]}]
8c:["$","span","code-segment-125",{"className":"token","style":{"color":"hsl(95, 38%, 62%)"},"children":["\"\""]}]
8d:["$","span","code-segment-126",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":[")"]}]
8e:["$","span","code-segment-127",{"className":"$undefined","style":{},"children":["\n"]}]
8f:["$","span","code-segment-128",{"className":"$undefined","style":{},"children":["    "]}]
90:["$","span","code-segment-129",{"className":"token","style":{"color":"hsl(286, 60%, 67%)"},"children":["if"]}]
91:["$","span","code-segment-130",{"className":"$undefined","style":{},"children":[" WEBHOOK_SECRET "]}]
92:["$","span","code-segment-131",{"className":"token","style":{"color":"hsl(286, 60%, 67%)"},"children":["and"]}]
93:["$","span","code-segment-132",{"className":"$undefined","style":{},"children":[" "]}]
94:["$","span","code-segment-133",{"className":"token","style":{"color":"hsl(286, 60%, 67%)"},"children":["not"]}]
95:["$","span","code-segment-134",{"className":"$undefined","style":{},"children":[" verify_signature"]}]
96:["$","span","code-segment-135",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":["("]}]
97:["$","span","code-segment-136",{"className":"$undefined","style":{},"children":["raw"]}]
98:["$","span","code-segment-137",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":[","]}]
99:["$","span","code-segment-138",{"className":"$undefined","style":{},"children":[" sig"]}]
9a:["$","span","code-segment-139",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":[")"]}]
9b:["$","span","code-segment-140",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":[":"]}]
9c:["$","span","code-segment-141",{"className":"$undefined","style":{},"children":["\n"]}]
9d:["$","span","code-segment-142",{"className":"$undefined","style":{},"children":["        "]}]
9e:["$","span","code-segment-143",{"className":"token","style":{"color":"hsl(286, 60%, 67%)"},"children":["raise"]}]
9f:["$","span","code-segment-144",{"className":"$undefined","style":{},"children":[" HTTPException"]}]
a0:["$","span","code-segment-145",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":["("]}]
a1:["$","span","code-segment-146",{"className":"$undefined","style":{},"children":["status_code"]}]
a2:["$","span","code-segment-147",{"className":"token","style":{"color":"hsl(207, 82%, 66%)"},"children":["="]}]
a3:["$","span","code-segment-148",{"className":"token","style":{"color":"hsl(29, 54%, 61%)"},"children":["403"]}]
a4:["$","span","code-segment-149",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":[")"]}]
a5:["$","span","code-segment-150",{"className":"$undefined","style":{},"children":["\n"]}]
a6:["$","span","code-segment-151",{"className":"$undefined","style":{},"children":["    "]}]
a7:["$","span","code-segment-152",{"className":"token","style":{"color":"hsl(220, 10%, 40%)","fontStyle":"italic"},"children":["# ... process event ..."]}]
a8:["$","p","p-1",{"className":"mt-4 text-base leading-8 md:text-lg first:mt-0 first:text-xl first:leading-relaxed first:text-foreground md:first:text-2xl","children":["The ",["$","code","code-0",{"className":"rounded bg-secondary px-1.5 py-0.5 text-[0.9em] text-foreground","children":"if WEBHOOK_SECRET and"}]," guard is added for developer convenience: when running locally without a secret configured, the validation is skipped entirely so you can test without setting up env vars."]}]
a9:["$","p","p-2",{"className":"mt-4 text-base leading-8 md:text-lg first:mt-0 first:text-xl first:leading-relaxed first:text-foreground md:first:text-2xl","children":["That guard is a security hole in disguise. In any environment where ",["$","code","code-0",{"className":"rounded bg-secondary px-1.5 py-0.5 text-[0.9em] text-foreground","children":"WEBHOOK_SECRET"}]," is not set — a new server, a misconfigured deploy, a container that didn't receive its secrets — the webhook endpoint accepts ",["$","strong","strong-0",{"children":"all requests without verification"}],". An attacker who discovers the endpoint can forge any event, including events that trigger deployments, privilege changes, or code execution."]}]
aa:["$","p","p-3",{"className":"mt-4 text-base leading-8 md:text-lg first:mt-0 first:text-xl first:leading-relaxed first:text-foreground md:first:text-2xl","children":"The failure mode is insidious because the developer environment \"works\" by design. The hole only manifests where secrets are absent, which is exactly the environments where an attacker is most likely to probe."}]
ab:["$","h2","h2-1",{"className":"mt-12 text-2xl font-semibold leading-snug text-foreground first:mt-0","children":"The approach"}]
ac:["$","p","p-4",{"className":"mt-4 text-base leading-8 md:text-lg first:mt-0 first:text-xl first:leading-relaxed first:text-foreground md:first:text-2xl","children":["The fix is one line: return ",["$","code","code-0",{"className":"rounded bg-secondary px-1.5 py-0.5 text-[0.9em] text-foreground","children":"False"}]," immediately when the secret is not configured."]}]
ad:["$","div","pre-1",{"style":{"background":"hsl(220, 13%, 18%)","color":"hsl(220, 14%, 71%)","textShadow":"0 1px rgba(0, 0, 0, 0.3)","fontFamily":"\"Fira Code\", \"Fira Mono\", Menlo, Consolas, \"DejaVu Sans Mono\", monospace","direction":"ltr","textAlign":"left","whiteSpace":"pre","wordSpacing":"normal","wordBreak":"normal","lineHeight":"1.5","MozTabSize":"2","OTabSize":"2","tabSize":"2","WebkitHyphens":"none","MozHyphens":"none","msHyphens":"none","hyphens":"none","padding":"1rem","margin":"0.5em 0","overflow":"auto","borderRadius":"0.5rem","marginTop":"1.25rem","marginBottom":0,"border":"1px solid hsl(var(--border))","fontSize":"0.875rem"},"children":["$","code",null,{"style":{"whiteSpace":"pre","fontFamily":"ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, Liberation Mono, Courier New, monospace"},"children":[false,[["$","span","code-segment-0",{"className":"token","style":{"color":"hsl(286, 60%, 67%)"},"children":["def"]}],["$","span","code-segment-1",{"className":"$undefined","style":{},"children":[" "]}],["$","span","code-segment-2",{"className":"token","style":{"color":"hsl(207, 82%, 66%)"},"children":["verify_signature"]}],["$","span","code-segment-3",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":["("]}],["$","span","code-segment-4",{"className":"$undefined","style":{},"children":["raw_body"]}],["$","span","code-segment-5",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":[":"]}],["$","span","code-segment-6",{"className":"$undefined","style":{},"children":[" "]}],["$","span","code-segment-7",{"className":"token","style":{"color":"hsl(95, 38%, 62%)"},"children":["bytes"]}],["$","span","code-segment-8",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":[","]}],["$","span","code-segment-9",{"className":"$undefined","style":{},"children":[" header_value"]}],["$","span","code-segment-10",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":[":"]}],["$","span","code-segment-11",{"className":"$undefined","style":{},"children":[" "]}],["$","span","code-segment-12",{"className":"token","style":{"color":"hsl(95, 38%, 62%)"},"children":["str"]}],["$","span","code-segment-13",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":[")"]}],["$","span","code-segment-14",{"className":"$undefined","style":{},"children":[" "]}],["$","span","code-segment-15",{"className":"token","style":{"color":"hsl(207, 82%, 66%)"},"children":["-"]}],["$","span","code-segment-16",{"className":"token","style":{"color":"hsl(207, 82%, 66%)"},"children":[">"]}],["$","span","code-segment-17",{"className":"$undefined","style":{},"children":[" "]}],["$","span","code-segment-18",{"className":"token","style":{"color":"hsl(95, 38%, 62%)"},"children":["bool"]}],["$","span","code-segment-19",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":[":"]}],["$","span","code-segment-20",{"className":"$undefined","style":{},"children":["\n"]}],["$","span","code-segment-21",{"className":"$undefined","style":{},"children":["    "]}],["$","span","code-segment-22",{"className":"token","style":{"color":"hsl(286, 60%, 67%)"},"children":["if"]}],["$","span","code-segment-23",{"className":"$undefined","style":{},"children":[" "]}],["$","span","code-segment-24",{"className":"token","style":{"color":"hsl(286, 60%, 67%)"},"children":["not"]}],["$","span","code-segment-25",{"className":"$undefined","style":{},"children":[" WEBHOOK_SECRET"]}],["$","span","code-segment-26",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":[":"]}],["$","span","code-segment-27",{"className":"$undefined","style":{},"children":["\n"]}],["$","span","code-segment-28",{"className":"$undefined","style":{},"children":["        "]}],["$","span","code-segment-29",{"className":"token","style":{"color":"hsl(286, 60%, 67%)"},"children":["return"]}],["$","span","code-segment-30",{"className":"$undefined","style":{},"children":[" "]}],["$","span","code-segment-31",{"className":"token","style":{"color":"hsl(29, 54%, 61%)"},"children":["False"]}],["$","span","code-segment-32",{"className":"$undefined","style":{},"children":["  "]}],["$","span","code-segment-33",{"className":"token","style":{"color":"hsl(220, 10%, 40%)","fontStyle":"italic"},"children":["# reject all requests when secret is not configured"]}],["$","span","code-segment-34",{"className":"$undefined","style":{},"children":["\n"]}],["$","span","code-segment-35",{"className":"$undefined","style":{},"children":["    expected "]}],["$","span","code-segment-36",{"className":"token","style":{"color":"hsl(207, 82%, 66%)"},"children":["="]}],["$","span","code-segment-37",{"className":"$undefined","style":{},"children":[" "]}],["$","span","code-segment-38",{"className":"token","style":{"color":"hsl(95, 38%, 62%)"},"children":["\"sha256=\""]}],"$Lb6","$Lb7","$Lb8","$Lb9","$Lba","$Lbb","$Lbc","$Lbd","$Lbe","$Lbf","$Lc0","$Lc1","$Lc2","$Lc3","$Lc4","$Lc5","$Lc6","$Lc7","$Lc8","$Lc9","$Lca","$Lcb","$Lcc","$Lcd","$Lce","$Lcf","$Ld0","$Ld1","$Ld2","$Ld3","$Ld4","$Ld5","$Ld6","$Ld7","$Ld8","$Ld9","$Lda","$Ldb","$Ldc","$Ldd","$Lde","\n","$Ldf","$Le0","$Le1","$Le2","$Le3","$Le4","$Le5","$Le6","$Le7","$Le8","$Le9","$Lea","$Leb","$Lec","$Led","$Lee","$Lef","$Lf0","$Lf1","$Lf2","$Lf3","$Lf4","$Lf5","$Lf6","$Lf7","$Lf8","$Lf9","$Lfa","$Lfb","$Lfc","$Lfd","$Lfe","$Lff","$L100","$L101","$L102","$L103","$L104","$L105","$L106","$L107","$L108","$L109","$L10a","$L10b","$L10c","$L10d","$L10e","$L10f","$L110","$L111","$L112","$L113","$L114","$L115","$L116","$L117","$L118","$L119","$L11a","$L11b","$L11c","$L11d","$L11e","$L11f"]]}]}]
ae:["$","p","p-5",{"className":"mt-4 text-base leading-8 md:text-lg first:mt-0 first:text-xl first:leading-relaxed first:text-foreground md:first:text-2xl","children":"The caller no longer short-circuits on an empty secret. The validation function always runs, and an unconfigured secret is treated as a definitive reject rather than a passthrough."}]
af:["$","p","p-6",{"className":"mt-4 text-base leading-8 md:text-lg first:mt-0 first:text-xl first:leading-relaxed first:text-foreground md:first:text-2xl","children":"Local development now requires setting the secret, which is a minor inconvenience. The alternative — a production endpoint that accepts unsigned requests because someone forgot an env var — is not a trade worth making."}]
b0:["$","h2","h2-2",{"className":"mt-12 text-2xl font-semibold leading-snug text-foreground first:mt-0","children":"What I learned"}]
b1:["$","p","p-7",{"className":"mt-4 text-base leading-8 md:text-lg first:mt-0 first:text-xl first:leading-relaxed first:text-foreground md:first:text-2xl","children":["The pattern generalizes: any security check that defaults to \"allow\" when the security material is absent is broken by construction. HMAC with a missing key, TLS with an empty cert store, authentication middleware that short-circuits on a nil token — all are the same class of bug. The correct invariant is: ",["$","em","em-0",{"children":"absent security material means deny, not allow."}]]}]
b2:["$","p","p-8",{"className":"mt-4 text-base leading-8 md:text-lg first:mt-0 first:text-xl first:leading-relaxed first:text-foreground md:first:text-2xl","children":["A second observation: this bug class is almost always introduced by a developer whose mental model is \"the check is optional in dev.\" That framing is wrong. The check is mandatory in all environments; the ",["$","em","em-0",{"children":"secret value"}]," is different per environment. Those two things must not be conflated. The right local-dev solution is a test secret in a ",["$","code","code-0",{"className":"rounded bg-secondary px-1.5 py-0.5 text-[0.9em] text-foreground","children":".env"}]," file, not a code branch that disables the check."]}]
b3:["$","div",null,{"className":"mt-14 border-t border-border pt-8","children":["$","$L10",null,{"href":"/platform","className":"inline-flex items-center text-sm font-medium text-primary transition-colors hover:text-primary/80","children":["Start a build",["$","svg",null,{"ref":"$undefined","xmlns":"http://www.w3.org/2000/svg","width":24,"height":24,"viewBox":"0 0 24 24","fill":"none","stroke":"currentColor","strokeWidth":2,"strokeLinecap":"round","strokeLinejoin":"round","className":"lucide lucide-arrow-right ml-2 h-4 w-4","aria-hidden":"true","children":[["$","path","1ays0h",{"d":"M5 12h14"}],["$","path","xquz4c",{"d":"m12 5 7 7-7 7"}],"$undefined"]}]]}]}]
b4:["$","aside",null,{"className":"hidden lg:block","children":["$","div",null,{"className":"sticky top-24 space-y-4","children":[["$","h3",null,{"className":"text-xs font-semibold uppercase tracking-wider text-primary","children":["More in ","Security"]}],["$","div",null,{"className":"space-y-4","children":[["$","$L10","merkle-subset-verification-trap",{"href":"/blog/merkle-subset-verification-trap","className":"block overflow-hidden rounded-lg border border-border bg-card transition-colors hover:border-primary/40","children":[["$","div",null,{"className":"relative aspect-[16/9] overflow-hidden bg-secondary/70","children":[["$","img",null,{"src":"/blog/posts/merkle-subset-verification-trap/hero.jpg","alt":"A pristine glass museum display case half-filled with carefully arranged artifacts on velvet, sharp focus on the artifacts, soft museum lighting.","className":"h-full w-full object-cover","loading":"lazy","decoding":"async"}],["$","img",null,{"src":"/blog/posts/logo.png","alt":"","aria-hidden":"true","className":"pointer-events-none absolute right-2 top-2 h-[24px] w-[24px] mix-blend-screen"}]]}],["$","div",null,{"className":"p-4","children":[["$","p",null,{"className":"text-xs font-medium text-primary","children":"Security"}],["$","p",null,{"className":"mt-1 text-xs text-muted-foreground","children":["2026-W20"," · ","3 min"]}],["$","p",null,{"className":"mt-2 line-clamp-2 text-sm font-semibold leading-snug text-foreground","children":"The Merkle Subset Verification Trap"}]]}]]}],["$","$L10","merkle-canonical-form",{"href":"/blog/merkle-canonical-form","className":"block overflow-hidden rounded-lg border border-border bg-card transition-colors hover:border-primary/40","children":[["$","div",null,{"className":"relative aspect-[16/9] overflow-hidden bg-secondary/70","children":[["$","img",null,{"src":"/blog/posts/merkle-canonical-form/hero.jpg","alt":"A vintage brass wax seal stamp pressed into a fresh crimson wax pool on parchment, sharp focus on the impression, warm desk light, no people, editorial.","className":"h-full w-full object-cover","loading":"lazy","decoding":"async"}],["$","img",null,{"src":"/blog/posts/logo.png","alt":"","aria-hidden":"true","className":"pointer-events-none absolute right-2 top-2 h-[24px] w-[24px] mix-blend-screen"}]]}],["$","div",null,{"className":"p-4","children":[["$","p",null,{"className":"text-xs font-medium text-primary","children":"Security"}],["$","p",null,{"className":"mt-1 text-xs text-muted-foreground","children":["2026-W20"," · ","4 min"]}],["$","p",null,{"className":"mt-2 line-clamp-2 text-sm font-semibold leading-snug text-foreground","children":"The Canonical Form Bug That Makes Every Signature Fail"}]]}]]}],["$","$L10","per-agent-api-key-rotation",{"href":"/blog/per-agent-api-key-rotation","className":"block overflow-hidden rounded-lg border border-border bg-card transition-colors hover:border-primary/40","children":[["$","div",null,{"className":"relative aspect-[16/9] overflow-hidden bg-secondary/70","children":[["$","img",null,{"src":"/blog/posts/per-agent-api-key-rotation/hero.jpg","alt":"A row of brass keys hanging on numbered hooks against a dark wooden panel wall, one hook empty with a brighter outline, single overhead light, no people, editorial.","className":"h-full w-full object-cover","loading":"lazy","decoding":"async"}],["$","img",null,{"src":"/blog/posts/logo.png","alt":"","aria-hidden":"true","className":"pointer-events-none absolute right-2 top-2 h-[24px] w-[24px] mix-blend-screen"}]]}],["$","div",null,{"className":"p-4","children":[["$","p",null,{"className":"text-xs font-medium text-primary","children":"Security"}],["$","p",null,{"className":"mt-1 text-xs text-muted-foreground","children":["2026-W18"," · ","4 min"]}],["$","p",null,{"className":"mt-2 line-clamp-2 text-sm font-semibold leading-snug text-foreground","children":"Self-Healing API Key Rotation for Long-Running Service Processes"}]]}]]}]]}],["$","$L10",null,{"href":"/blog?category=security","className":"inline-flex items-center text-sm font-medium text-primary transition-colors hover:text-primary/80","children":["Read all in ","Security","$L120"]}]]}]}]
b5:["$","$L121",null,{}]
b6:["$","span","code-segment-39",{"className":"$undefined","style":{},"children":[" "]}]
b7:["$","span","code-segment-40",{"className":"token","style":{"color":"hsl(207, 82%, 66%)"},"children":["+"]}]
b8:["$","span","code-segment-41",{"className":"$undefined","style":{},"children":[" hmac"]}]
b9:["$","span","code-segment-42",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":["."]}]
ba:["$","span","code-segment-43",{"className":"$undefined","style":{},"children":["new"]}]
bb:["$","span","code-segment-44",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":["("]}]
bc:["$","span","code-segment-45",{"className":"$undefined","style":{},"children":["\n"]}]
bd:["$","span","code-segment-46",{"className":"$undefined","style":{},"children":["        WEBHOOK_SECRET"]}]
be:["$","span","code-segment-47",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":["."]}]
bf:["$","span","code-segment-48",{"className":"$undefined","style":{},"children":["encode"]}]
c0:["$","span","code-segment-49",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":["("]}]
c1:["$","span","code-segment-50",{"className":"token","style":{"color":"hsl(95, 38%, 62%)"},"children":["\"ascii\""]}]
c2:["$","span","code-segment-51",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":[")"]}]
c3:["$","span","code-segment-52",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":[","]}]
c4:["$","span","code-segment-53",{"className":"$undefined","style":{},"children":["\n"]}]
c5:["$","span","code-segment-54",{"className":"$undefined","style":{},"children":["        raw_body"]}]
c6:["$","span","code-segment-55",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":[","]}]
c7:["$","span","code-segment-56",{"className":"$undefined","style":{},"children":["\n"]}]
c8:["$","span","code-segment-57",{"className":"$undefined","style":{},"children":["        hashlib"]}]
c9:["$","span","code-segment-58",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":["."]}]
ca:["$","span","code-segment-59",{"className":"$undefined","style":{},"children":["sha256"]}]
cb:["$","span","code-segment-60",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":[","]}]
cc:["$","span","code-segment-61",{"className":"$undefined","style":{},"children":["\n"]}]
cd:["$","span","code-segment-62",{"className":"$undefined","style":{},"children":["    "]}]
ce:["$","span","code-segment-63",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":[")"]}]
cf:["$","span","code-segment-64",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":["."]}]
d0:["$","span","code-segment-65",{"className":"$undefined","style":{},"children":["hexdigest"]}]
d1:["$","span","code-segment-66",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":["("]}]
d2:["$","span","code-segment-67",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":[")"]}]
d3:["$","span","code-segment-68",{"className":"$undefined","style":{},"children":["\n"]}]
d4:["$","span","code-segment-69",{"className":"$undefined","style":{},"children":["    "]}]
d5:["$","span","code-segment-70",{"className":"token","style":{"color":"hsl(286, 60%, 67%)"},"children":["return"]}]
d6:["$","span","code-segment-71",{"className":"$undefined","style":{},"children":[" hmac"]}]
d7:["$","span","code-segment-72",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":["."]}]
d8:["$","span","code-segment-73",{"className":"$undefined","style":{},"children":["compare_digest"]}]
d9:["$","span","code-segment-74",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":["("]}]
da:["$","span","code-segment-75",{"className":"$undefined","style":{},"children":["header_value"]}]
db:["$","span","code-segment-76",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":[","]}]
dc:["$","span","code-segment-77",{"className":"$undefined","style":{},"children":[" expected"]}]
dd:["$","span","code-segment-78",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":[")"]}]
de:["$","span","code-segment-79",{"className":"$undefined","style":{},"children":["\n"]}]
df:["$","span","code-segment-81",{"className":"$undefined","style":{},"children":[""]}]
e0:["$","span","code-segment-82",{"className":"token decorator annotation","style":{"color":"hsl(220, 14%, 71%)"},"children":["@app"]}]
e1:["$","span","code-segment-83",{"className":"token decorator annotation","style":{"color":"hsl(220, 14%, 71%)"},"children":["."]}]
e2:["$","span","code-segment-84",{"className":"token decorator annotation","style":{"color":"hsl(220, 14%, 71%)"},"children":["post"]}]
e3:["$","span","code-segment-85",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":["("]}]
e4:["$","span","code-segment-86",{"className":"token","style":{"color":"hsl(95, 38%, 62%)"},"children":["\"/webhooks/github\""]}]
e5:["$","span","code-segment-87",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":[")"]}]
e6:["$","span","code-segment-88",{"className":"$undefined","style":{},"children":["\n"]}]
e7:["$","span","code-segment-89",{"className":"$undefined","style":{},"children":[""]}]
e8:["$","span","code-segment-90",{"className":"token","style":{"color":"hsl(286, 60%, 67%)"},"children":["async"]}]
e9:["$","span","code-segment-91",{"className":"$undefined","style":{},"children":[" "]}]
ea:["$","span","code-segment-92",{"className":"token","style":{"color":"hsl(286, 60%, 67%)"},"children":["def"]}]
eb:["$","span","code-segment-93",{"className":"$undefined","style":{},"children":[" "]}]
ec:["$","span","code-segment-94",{"className":"token","style":{"color":"hsl(207, 82%, 66%)"},"children":["webhook"]}]
ed:["$","span","code-segment-95",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":["("]}]
ee:["$","span","code-segment-96",{"className":"$undefined","style":{},"children":["request"]}]
ef:["$","span","code-segment-97",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":[":"]}]
f0:["$","span","code-segment-98",{"className":"$undefined","style":{},"children":[" Request"]}]
f1:["$","span","code-segment-99",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":[")"]}]
f2:["$","span","code-segment-100",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":[":"]}]
f3:["$","span","code-segment-101",{"className":"$undefined","style":{},"children":["\n"]}]
f4:["$","span","code-segment-102",{"className":"$undefined","style":{},"children":["    raw "]}]
f5:["$","span","code-segment-103",{"className":"token","style":{"color":"hsl(207, 82%, 66%)"},"children":["="]}]
f6:["$","span","code-segment-104",{"className":"$undefined","style":{},"children":[" "]}]
f7:["$","span","code-segment-105",{"className":"token","style":{"color":"hsl(286, 60%, 67%)"},"children":["await"]}]
f8:["$","span","code-segment-106",{"className":"$undefined","style":{},"children":[" request"]}]
f9:["$","span","code-segment-107",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":["."]}]
fa:["$","span","code-segment-108",{"className":"$undefined","style":{},"children":["body"]}]
fb:["$","span","code-segment-109",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":["("]}]
fc:["$","span","code-segment-110",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":[")"]}]
fd:["$","span","code-segment-111",{"className":"$undefined","style":{},"children":["\n"]}]
fe:["$","span","code-segment-112",{"className":"$undefined","style":{},"children":["    sig "]}]
ff:["$","span","code-segment-113",{"className":"token","style":{"color":"hsl(207, 82%, 66%)"},"children":["="]}]
100:["$","span","code-segment-114",{"className":"$undefined","style":{},"children":[" request"]}]
101:["$","span","code-segment-115",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":["."]}]
102:["$","span","code-segment-116",{"className":"$undefined","style":{},"children":["headers"]}]
103:["$","span","code-segment-117",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":["."]}]
104:["$","span","code-segment-118",{"className":"$undefined","style":{},"children":["get"]}]
105:["$","span","code-segment-119",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":["("]}]
106:["$","span","code-segment-120",{"className":"token","style":{"color":"hsl(95, 38%, 62%)"},"children":["\"x-hub-signature-256\""]}]
107:["$","span","code-segment-121",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":[","]}]
108:["$","span","code-segment-122",{"className":"$undefined","style":{},"children":[" "]}]
109:["$","span","code-segment-123",{"className":"token","style":{"color":"hsl(95, 38%, 62%)"},"children":["\"\""]}]
10a:["$","span","code-segment-124",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":[")"]}]
10b:["$","span","code-segment-125",{"className":"$undefined","style":{},"children":["\n"]}]
10c:["$","span","code-segment-126",{"className":"$undefined","style":{},"children":["    "]}]
10d:["$","span","code-segment-127",{"className":"token","style":{"color":"hsl(286, 60%, 67%)"},"children":["if"]}]
10e:["$","span","code-segment-128",{"className":"$undefined","style":{},"children":[" "]}]
10f:["$","span","code-segment-129",{"className":"token","style":{"color":"hsl(286, 60%, 67%)"},"children":["not"]}]
110:["$","span","code-segment-130",{"className":"$undefined","style":{},"children":[" verify_signature"]}]
111:["$","span","code-segment-131",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":["("]}]
112:["$","span","code-segment-132",{"className":"$undefined","style":{},"children":["raw"]}]
113:["$","span","code-segment-133",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":[","]}]
114:["$","span","code-segment-134",{"className":"$undefined","style":{},"children":[" sig"]}]
115:["$","span","code-segment-135",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":[")"]}]
116:["$","span","code-segment-136",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":[":"]}]
117:["$","span","code-segment-137",{"className":"$undefined","style":{},"children":["\n"]}]
118:["$","span","code-segment-138",{"className":"$undefined","style":{},"children":["        "]}]
119:["$","span","code-segment-139",{"className":"token","style":{"color":"hsl(286, 60%, 67%)"},"children":["raise"]}]
11a:["$","span","code-segment-140",{"className":"$undefined","style":{},"children":[" HTTPException"]}]
11b:["$","span","code-segment-141",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":["("]}]
11c:["$","span","code-segment-142",{"className":"$undefined","style":{},"children":["status_code"]}]
11d:["$","span","code-segment-143",{"className":"token","style":{"color":"hsl(207, 82%, 66%)"},"children":["="]}]
11e:["$","span","code-segment-144",{"className":"token","style":{"color":"hsl(29, 54%, 61%)"},"children":["403"]}]
11f:["$","span","code-segment-145",{"className":"token","style":{"color":"hsl(220, 14%, 71%)"},"children":[")"]}]
120:["$","svg",null,{"ref":"$undefined","xmlns":"http://www.w3.org/2000/svg","width":24,"height":24,"viewBox":"0 0 24 24","fill":"none","stroke":"currentColor","strokeWidth":2,"strokeLinecap":"round","strokeLinejoin":"round","className":"lucide lucide-arrow-right ml-2 h-4 w-4","aria-hidden":"true","children":[["$","path","1ays0h",{"d":"M5 12h14"}],["$","path","xquz4c",{"d":"m12 5 7 7-7 7"}],"$undefined"]}]
b:[["$","meta","0",{"charSet":"utf-8"}],["$","meta","1",{"name":"viewport","content":"width=device-width, initial-scale=1"}]]
122:I[94060,["/_next/static/chunks/316a3a63422f35de.js"],"IconMark"]
9:null
d:[["$","title","0",{"children":"The Empty-Secret HMAC Bypass — Bridgestack"}],["$","meta","1",{"name":"description","content":"An HMAC validator that skips checks when the secret is missing isn't lenient — it's wide open."}],["$","meta","2",{"name":"generator","content":"v0.app"}],["$","meta","3",{"property":"og:title","content":"Bridgestack — custom software, flat prices from $9.99"}],["$","meta","4",{"property":"og:description","content":"Talk to Tom, your AI PM. A fleet of AI agents builds your product. Flat one-time price. 7 days to test before you pay. Source code is yours."}],["$","meta","5",{"property":"og:url","content":"https://www.bridgestack.systems"}],["$","meta","6",{"property":"og:site_name","content":"Bridgestack"}],["$","meta","7",{"property":"og:locale","content":"en_US"}],["$","meta","8",{"property":"og:image","content":"https://www.bridgestack.systems/bridgestack-landscape-1200x628.png"}],["$","meta","9",{"property":"og:image:width","content":"1200"}],["$","meta","10",{"property":"og:image:height","content":"628"}],["$","meta","11",{"property":"og:type","content":"website"}],["$","meta","12",{"name":"twitter:card","content":"summary_large_image"}],["$","meta","13",{"name":"twitter:title","content":"Bridgestack — custom software, flat prices from $9.99"}],["$","meta","14",{"name":"twitter:description","content":"Talk to Tom, your AI PM. A fleet of AI agents builds your product. 7 days to test before you pay. Source code is yours."}],["$","meta","15",{"name":"twitter:image","content":"https://www.bridgestack.systems/bridgestack-landscape-1200x628.png"}],["$","link","16",{"rel":"icon","href":"/icon-light-32x32.png","media":"(prefers-color-scheme: light)"}],["$","link","17",{"rel":"icon","href":"/icon-dark-32x32.png","media":"(prefers-color-scheme: dark)"}],["$","link","18",{"rel":"icon","href":"/icon.svg","type":"image/svg+xml"}],["$","link","19",{"rel":"apple-touch-icon","href":"/apple-icon.png"}],["$","$L122","20",{}]]
