Webhook

Receiving: Signature Verification

• Always verify HMAC signature—payload can be forged; don't trust without signature
• Common pattern: HMAC-SHA256(secret, raw_body) compared to header value
• Use raw body bytes—parsed JSON may reorder keys, breaking signature
• Timing-safe comparison—prevent timing attacks on signature check
• Reject missing or invalid signature with 401—log for investigation

Receiving: Replay Prevention

• Check timestamp in payload or header—reject if too old (>5 minutes)
• Combine with signature—timestamp without signature can be forged
• Store processed event IDs—reject duplicates even within time window
• Clock skew tolerance: allow 1-2 minutes past—but not hours

Receiving: Idempotency (Critical)