diff --git a/backend/src/routes/webhook.js b/backend/src/routes/webhook.js
index 6e04f23..b1e7577 100644
--- a/backend/src/routes/webhook.js
+++ b/backend/src/routes/webhook.js
@@ -3,6 +3,14 @@ const router = express.Router();
 const Stripe = require('stripe');
 const { supabase } = require('../config/supabase');
 
+// SECURITY: Require STRIPE_WEBHOOK_SECRET in production
+if (!process.env.STRIPE_WEBHOOK_SECRET) {
+  console.error('❌ FATAL: STRIPE_WEBHOOK_SECRET is required!');
+  console.error('   Webhook signature verification cannot be disabled.');
+  console.error('   Get your webhook secret from: https://dashboard.stripe.com/webhooks');
+  process.exit(1);
+}
+
 const stripe = new Stripe(process.env.STRIPE_SECRET_KEY);
 
 /**
@@ -18,14 +26,8 @@ router.post('/stripe', async (req, res) => {
   let event;
 
   try {
-    // If webhook secret is configured, verify signature
-    if (webhookSecret) {
-      event = stripe.webhooks.constructEvent(req.body, sig, webhookSecret);
-    } else {
-      // For local development without webhook secret
-      event = JSON.parse(req.body.toString());
-      console.warn('⚠️ Webhook signature verification skipped (no STRIPE_WEBHOOK_SECRET)');
-    }
+    // SECURITY: Always verify webhook signature
+    event = stripe.webhooks.constructEvent(req.body, sig, webhookSecret);
   } catch (err) {
     console.error('Webhook signature verification failed:', err.message);
     return res.status(400).send(`Webhook Error: ${err.message}`);