Fix guide · high · discord_webhook_url

Discord webhook URL in client code

Why it matters

Anyone with the webhook URL can post arbitrary messages to that Discord channel. Spammers harvest these continuously.

How to fix it

1. Delete the webhook in Discord → Server Settings → Integrations → Webhooks → delete.
2. For server-to-Discord posting, use a bot token (server-only) instead of a webhook URL.
3. If a webhook is genuinely needed in client code, accept that anyone will spam it; rate-limit at your gateway.

Did vibecheck flag this on your app?

If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.