The Callback Risk
A webhook is an HTTP callback the sender posts to your public URL when an event happens. Because the endpoint is open to the internet, anyone could post a fake event. You must prove each request truly came from the real sender and was not tampered with.
Signature Verification
The sender computes an HMAC over the raw request body using a shared secret and puts the result in a header. Your server recomputes the HMAC with the same secret and compares. A match proves both authenticity and integrity, since an attacker without the secret cannot forge it.
Replay and Ordering
- Include a timestamp in the signed payload and reject old requests to stop replays.
- Use a constant time comparison to avoid timing leaks.
- Treat delivery as at least once, so make handlers idempotent for duplicates.
Operational Notes
Verify against the raw bytes, not a reparsed body, or the signature will not match. Rotate the shared secret periodically.
Key idea
Webhook security relies on an HMAC signature over the raw body plus a timestamp, proving authenticity and integrity while constant time checks and idempotency guard against replays and duplicates.