Edge Case: Cross-Site Isolation and Data Separation
all
Persona: security-tester
Touchpoint: /api/stripe/webhook, /api/onboard
Preconditions
- Multiple sites live: churchwiseai.com, pewsearch.com, illustratetheword.com
- Each site has Stripe webhooks and onboard flows
Steps
| # | Action | Expected Result |
|---|---|---|
| 1 | Send unsigned Stripe webhook to CWA endpoint | API returns 400 or 401 (Unauthorized). Rejects webhook without valid signature. |
| 2 | Send unsigned Stripe webhook to PewSearch endpoint | API returns 400 or 401. PewSearch rejects unsigned webhook. |
| 3 | Send unsigned Stripe webhook to ITW endpoint | API returns 400 or 401. ITW rejects unsigned webhook. |
| 4 | Send CWA Stripe webhook signature to PewSearch endpoint | API returns 400/401. Cross-site signatures are rejected. |
| 5 | Send onboard request with fake church UUID | API returns 400-404 (church not found). Status >= 400 but < 500. Never succeeds with fake ID. |
| 6 | Send onboard request with PewSearch plan key to CWA | API returns 400 (invalid plan). CWA rejects PewSearch-only plans. |
| 7 | Send onboard request with ITW product ID to CWA | API returns 400 (invalid plan). CWA rejects ITW-only products. |
| 8 | Access admin dashboard with token from different site | API returns 401 (Unauthorized) or redirects to login. Token from one site cannot access another. |
| 9 | Send customer ID from PewSearch to CWA billing API | API returns 404 or 403. Cross-site customer IDs rejected. |
Known Failure Modes
- Unsigned webhooks accepted — webhook spoofing vulnerability
- Cross-site plan keys work on wrong site — products misaligned
- Admin token from one site works on another — auth breach
- Customer data from one site accessible via another — data leak
References
- Playwright spec:
e2e/edge-cross-site.spec.ts - Code files:
Notes
Tests that multiple properties (CWA, PewSearch, ITW) are properly isolated. Stripe webhooks must be signed and specific to each site. Plan keys are product-specific and must be rejected if sent to wrong site. Auth tokens must not work across properties. Customer/church data from one site must not be accessible via another. This is critical for multi-tenant isolation and financial data security.