Webhook Security

Overview

Webhooks deliver real-time data to your app, but an open endpoint is an attack surface. Without verification, anyone can POST fake events to your webhook URL. This skill covers signature verification, replay protection, idempotency, and reliable processing patterns.

Instructions

Step 1: Signature Verification

Every major provider signs webhook payloads with HMAC. Verify before processing.

// lib/webhooks/verify.ts — Generic HMAC verification
import crypto from 'crypto'

export function verifyHmacSignature(
  payload: string | Buffer,
  signature: string,