Security Intermediate

What is Webhook Signature Verification?

A security mechanism that verifies webhook payloads are authentic and unmodified using cryptographic signatures.

Webhook signature verification ensures incoming webhook requests genuinely come from the expected service and have not been tampered with. The sender creates a signature (HMAC-SHA256) using the payload and a shared secret, included in a header.

The receiver recalculates the signature using the same secret and compares. If they match, the webhook is authentic. Services like Stripe (Stripe-Signature), GitHub (X-Hub-Signature-256), and PayPal use this pattern. Always verify signatures to prevent spoofed webhook attacks.

Learn More About This Topic

Linux Security Auditing

Related reading

SOC Analyst Fundamentals

Related reading

SOC Analyst Advanced: Incident Response & Forensics

Related reading

Related Terms

JWT (JSON Web Token)

A compact, self-contained token format used for securely transmitting information between parties as a JSON object.

CSRF (Cross-Site Request Forgery)

An attack that tricks authenticated users into submitting unwanted requests to a web application they are logged into.

Supply Chain Attack

A cyberattack that targets less-secure elements in the software supply chain to compromise downstream users and organizations.

Vulnerability Scanning

Automated testing that identifies known security weaknesses in systems, applications, and network infrastructure.

Practices and mechanisms for protecting APIs from unauthorized access, data breaches, and abuse.

A security model that requires strict identity verification for every user and device, regardless of their network location.

View All Security Terms →