Area: Backend
Files: services/api/src/email/webhook.rs, services/api/src/security.rs, services/api/src/config.rs
Problem: Webhook events are accepted without signature validation.
Acceptance Criteria:
- Signature/timestamp verification is enforced.
- Invalid signatures are rejected with
401 or 403.
- Replay protection window is implemented.
Area: Backend
Files:
services/api/src/email/webhook.rs,services/api/src/security.rs,services/api/src/config.rsProblem: Webhook events are accepted without signature validation.
Acceptance Criteria:
401or403.