Webhook Monitoring Guide

Short answer. webhook monitoring is when the monitoring system, on an event (site went down, recovered, SSL expiring), sends an HTTP POST with a JSON payload to your endpoint. Unlike ready-made integrations, a webhook lets you route an alert into any system of your own: a ticket tracker, a chat bot, an automatic rollback. The key security rule is to verify the HMAC signature (X-*-Signature) and the timestamp, otherwise anyone can forge an alert.

Why webhooks

Ready-made integrations (Telegram, Slack, PagerDuty) cover common cases. But if you need to call your own API документацию, create an incident in a homegrown system, or trigger a runbook, you need a webhook. It is the universal "glue" between monitoring and your infrastructure.

• Automation — an alert runs a script, not just notifies;
• Your own logic — routing, deduplication, escalation on your side;
• Integration — any system with an HTTP endpoint;
• Audit — all events in your own database.

JSON payload structure

A typical "monitor down" payload carries an identifier, the event type, the target, a timestamp, and details:

{
  "event": "monitor.down",
  "monitor_id": 4821,
  "monitor_name": "API production",
  "url": "https://api.example.com/health",
  "status": "down",
  "http_code": 503,
  "error": "Service Unavailable",
  "region": "eu-de",
  "checked_at": "2026-06-18T09:14:22Z",
  "timestamp": 1781766862
}

Verifying the HMAC signature

Never trust a payload without verifying the signature. The sender computes HMAC-SHA256 over the request body with a secret and puts it in the X-Signature header. The receiver recomputes it and compares in constant time.

// Node.js: verify webhook signature and protect against replay
const crypto = require('crypto');

function verifyWebhook(req, secret) {
  const signature = req.headers['x-signature'] || '';
  const timestamp = req.headers['x-timestamp'] || '';
  const body = req.rawBody; // raw body before JSON.parse

  // 1. Replay protection: 300-second window
  const now = Math.floor(Date.now() / 1000);
  if (Math.abs(now - Number(timestamp)) > 300) {
    return false;
  }

  // 2. Recompute the signature over timestamp + body
  const expected = crypto
    .createHmac('sha256', secret)
    .update(timestamp + '.' + body)
    .digest('hex');

  const provided = signature.replace(/^sha256=/, '');

  // 3. Constant-time comparison
  const a = Buffer.from(expected, 'hex');
  const b = Buffer.from(provided, 'hex');
  return a.length === b.length && crypto.timingSafeEqual(a, b);
}

Secure receiver checklist

Check	Why
HMAC signature validation	Confirms the payload is from your provider
Timestamp window (±300s)	Protects against replay of an intercepted request
timingSafeEqual for comparison	Defends against timing attacks on the signature
идемпотентность by event id	Duplicate deliveries do not create duplicate incidents
SSL/TLS проверку only on the endpoint	Payload and signature are not readable in the clear

Without signature verification a webhook endpoint is an open door: an attacker can send fake "site down/up" events and disrupt your automation. HMAC plus a timestamp close both forgery and replay.

Handling up/down events

After verifying the signature, branch by event type: monitor.down — open an incident, monitor.up — close it, ssl.expiring — create a task to renew the certificate. Make handling idempotent: providers retry delivery, and the same event may arrive twice.

Webhooks in enterno.io

enterno.io sends webhooks for the events monitor.down, monitor.up, monitor.degraded, ssl.expiring, ssl.expired, domain.expiring. Each request is HMAC-signed (X-*-Signature) with a timestamp — verify both. You can manage subscriptions through the REST API v4 (endpoint /api/v4/webhooks), including a test send. Besides webhooks, Telegram, Slack, email, PagerDuty, and Jira are available — a webhook is for when the ready-made integrations are not enough and you need custom logic.

FAQ

Why is a webhook better than a ready-made integration?

A ready-made integration notifies a specific service. A webhook gives full control: your own routing, triggering automation, integration with any HTTP system.

Is signature verification mandatory?

Yes. Without HMAC verification, anyone who learns your URL can send fake alerts. A signature plus a timestamp is the required security minimum.

Why is a timestamp window needed?

So an intercepted valid request cannot be replayed later (a replay attack). Requests older than ~300 seconds are rejected even with a correct signature.

How do I test a webhook receiver?

The enterno.io API v4 has a test send (action=test) that posts a real signed payload to your endpoint.

Route alerts into your own system: configure a webhook at enterno.io/monitors and manage subscriptions through the API v4. Useful reading: alerting best practices, API uptime monitoring, monitoring as code.