Security Intermediate

What is Webhook Signature Verification?

A security mechanism that verifies webhook payloads are authentic and unmodified using cryptographic signatures.

Webhook signature verification ensures incoming webhook requests genuinely come from the expected service and have not been tampered with. The sender creates a signature (HMAC-SHA256) using the payload and a shared secret, included in a header.

The receiver recalculates the signature using the same secret and compares. If they match, the webhook is authentic. Services like Stripe (Stripe-Signature), GitHub (X-Hub-Signature-256), and PayPal use this pattern. Always verify signatures to prevent spoofed webhook attacks.

Learn More About This Topic

Linux Security Auditing

Related reading

SOC Analyst Fundamentals

Related reading

SOC Analyst Advanced: Incident Response & Forensics

Related reading

Related Terms

Two-Factor Authentication (2FA)

A security method requiring two different forms of identification before granting access to an account.

Principle of Least Privilege

A security principle where users and programs receive only the minimum access rights needed to perform their specific tasks.

Practices and mechanisms for protecting APIs from unauthorized access, data breaches, and abuse.

Secret Management

The practice of securely storing, accessing, and rotating sensitive credentials like API keys, passwords, and certificates.

PKI (Public Key Infrastructure)

A framework of policies, hardware, and software for creating, managing, distributing, and revoking digital certificates.

RBAC (Role-Based Access Control)

An access control model where permissions are assigned to roles, and users are assigned to roles rather than getting permissions directly.

View All Security Terms →