Security Intermediate

What is Webhook Signature Verification?

A security mechanism that verifies webhook payloads are authentic and unmodified using cryptographic signatures.

Webhook signature verification ensures incoming webhook requests genuinely come from the expected service and have not been tampered with. The sender creates a signature (HMAC-SHA256) using the payload and a shared secret, included in a header.

The receiver recalculates the signature using the same secret and compares. If they match, the webhook is authentic. Services like Stripe (Stripe-Signature), GitHub (X-Hub-Signature-256), and PayPal use this pattern. Always verify signatures to prevent spoofed webhook attacks.

Related Terms

A social engineering attack that uses fraudulent communications to trick people into revealing sensitive information or installing malware.

A one-way function that converts input data into a fixed-size string of characters, used for data integrity and password storage.

Session Hijacking

An attack where an adversary takes over a legitimate user session by stealing or predicting the session identifier.

SAST (Static Application Security Testing)

Automated analysis of source code to find security vulnerabilities without executing the application.

CSRF (Cross-Site Request Forgery)

An attack that tricks authenticated users into submitting unwanted requests to a web application they are logged into.

An authorization framework that allows third-party applications to access user resources without sharing passwords.

View All Security Terms →