Improve API real-time and webhook evidence gates by danyili2632 · Pull Request #1445 · UnitOneAI/SecuritySkills

danyili2632 · 2026-06-06T14:19:42Z

Summary

expands API surface inventory beyond REST/GraphQL/gRPC to include WebSocket, SSE, webhook/callback, and async job/result flows
adds evidence gates for WSS, Origin/CSRF/CSWSH, session lifecycle, per-message authorization, payload limits, replay protection, rate limits, and monitoring
adds webhook/callback checks for raw-body signature verification, timestamp freshness, nonce/event replay cache, idempotency, event allowlists, secret rotation, and safe failure handling
models async job/result lifecycles from create/status/worker/callback/result URL with owner and tenant authorization checks
extends output API style values and adds a real-time/webhook/async evidence table

git diff --check
rg -n "Real-Time|WebSocket|SSE|Webhook|Callback|Async Job|raw-body|Origin allowlist|CSWSH|per-message|idempotency|result URL|WebSocket Security Cheat Sheet" skills/appsec/api-security/SKILL.md
verified Markdown fence count remains even: 8

Bounty target: Improver Moderate if accepted.
Preferred payout: Base USDC 0x6CBF4b5cb88b8C2B7af776Bc2B073163B5d3C08A

improve api realtime webhook evidence gates

6f11924

danyili2632 mentioned this pull request Jun 6, 2026

[REVIEW] api-security: add real-time channel and webhook evidence gates #1443

Open

4 tasks