Fix guide · high · slack_webhook_url

Slack incoming webhook URL in client code

Why it matters

Anyone with the URL can post to that Slack channel. Common abuse: post phishing links impersonating internal alerts.

How to fix it

1. Disable the webhook in Slack → app settings → Incoming Webhooks → delete.
2. Use Block Kit + bot tokens server-side for richer formatting and better security.

Did vibecheck flag this on your app?

If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.