Webhook signing is a mechanism where the sender adds an HMAC signature of the payload to an HTTP header, and the receiver verifies the signature with a shared secret. Without signing, anyone who knows the webhook URL can send fake events. Standard pattern: HMAC-SHA256(secret, timestamp + body) → header X-Hub-Signature-256. Used by Stripe, GitHub, Telegram, YooKassa, Slack.
Below: details, example, related terms, FAQ.
Free online tool — website security scanner: instant results, no signup.
hash_equals() in PHP, crypto.timingSafeEqual() in Node// PHP verification
$expected = hash_hmac("sha256", $body, $secret);
$actual = $_SERVER["HTTP_X_SIGNATURE_256"];
if (!hash_equals($expected, $actual)) return 401;Implementing HMAC signature for webhooks involves several steps to ensure secure communication between your server and the service sending the webhook. Here’s a practical guide:
{ "user_id": "12345", "event": "user.created" } import hmac
import hashlib
import json
shared_secret = b'secret_key'
payload = json.dumps({"user_id": "12345", "event": "user.created"})
timestamp = str(int(time.time())).encode()
message = timestamp + payload.encode()
signature = hmac.new(shared_secret, message, hashlib.sha256).hexdigest() headers = {"X-Hub-Signature-256": signature, "X-Timestamp": timestamp}
requests.post(url, headers=headers, json=payload) received_signature = headers.get("X-Hub-Signature-256")
# Recreate the signature and compare By following these steps, you can securely implement HMAC signature verification for your webhooks.
When implementing HMAC signature verification for webhooks, developers often encounter common errors that can lead to security vulnerabilities. Understanding these errors can help in troubleshooting and ensuring secure communications.
By being aware of these common errors, developers can implement more robust HMAC signature verification and enhance the security of their webhook integrations.
Securing webhooks using HMAC signatures is crucial for preventing unauthorized access and ensuring data integrity. Below are some best practices for implementing HMAC signature verification:
By adhering to these best practices, developers can significantly enhance the security of their webhook implementations using HMAC signatures.
The tool checks HTTP security headers, SSL/TLS configuration, server info leaks, and protection against common attacks (XSS, clickjacking, MIME sniffing). A grade fromA to F shows overall security level.
Checking Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and more.
TLS version, certificate expiry, chain of trust, HSTS support.
Finding exposed server versions, debug modes, open configs, and directories.
Detailed report explaining each issue with specific steps to fix it.
HTTP header audit
config verification
CSP & HSTS setup
compliance checks
Strict-Transport-Security.Server: Apache/2.4.52 helps attackers find exploits. Hide the version.DENY or SAMEORIGIN.nosniff, browsers may misinterpret file types (MIME sniffing).Content-Security-Policy-Report-Only, monitor violations, then enforce.Server, X-Powered-By, X-AspNet-Version from responses.Security check history and HTTP security header monitoring.
Sign up freeA secret in a header travels in plain. HMAC signs the body; the secret is never transmitted.
Timestamp + nonce in payload. Receiver confirms fresh timestamp (5 min window) and unused nonce.
Stripe (Stripe-Signature), GitHub (X-Hub-Signature-256), Slack (X-Slack-Signature), Telegram (X-Telegram-Bot-Api-Secret-Token), YooKassa.
Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.