This article covers how webhook security signing works, how to verify signatures in your code, and how to layer additional protections against replay attacks and unauthorized access. If you are building webhook integrations for deep linking<\/a>, this is essential reading.<\/p>\n\n\n\n When you register a webhook endpoint with a platform like Tolinku<\/a>, you are creating a trust relationship. The platform promises to send legitimate event data to your URL. Your server promises to process it and respond with a status code. But HTTP alone does not enforce that trust.<\/p>\n\n\n\n Without signature verification, your webhook receiver has no way to answer a fundamental question: did this request actually come from the platform, or did someone else send it?<\/p>\n\n\n\n The risks break down into three categories:<\/p>\n\n\n\n Spoofed events.<\/strong> An attacker crafts a POST request that looks like a legitimate webhook payload and sends it to your endpoint. If your server blindly trusts the request body, it processes the fake event as real.<\/p>\n\n\n\n Tampered payloads.<\/strong> A man-in-the-middle intercepts a legitimate webhook in transit and modifies the payload before it reaches your server. The event is real, but the data has been altered.<\/p>\n\n\n\n Replay attacks.<\/strong> An attacker captures a legitimate, signed webhook request and resends it minutes, hours, or days later. The signature is valid because the payload has not changed, but the event is being processed a second time.<\/p>\n\n\n\n HMAC signing addresses all three of these risks.<\/p>\n\n\n\n HMAC<\/a> (Hash-based Message Authentication Code) is a cryptographic mechanism for verifying both the integrity and authenticity of a message. When applied to webhooks, the process works like this:<\/p>\n\n\n\n The critical property of HMAC is that you cannot compute a valid signature without knowing the secret. An attacker who intercepts a webhook can see the payload and the signature, but they cannot forge a new signature for a different payload without the secret key.<\/p>\n\n\n\n Here is a simplified diagram of the flow:<\/p>\n\n\n\n The RFC 2104<\/a> specification defines HMAC. SHA-256 is the hash function used in most modern implementations because it provides a strong balance of security and performance.<\/p>\n\n\n\n Here is a complete example of verifying webhook signatures in an Express application. This implementation covers the essentials: extracting the signature header, computing the expected signature, and using a timing-safe comparison.<\/p>\n\n\n\n A few critical details in this code:<\/p>\n\n\n\n Use the raw request body.<\/strong> The signature is computed over the exact bytes sent by the platform. If you parse the JSON first and then re-serialize it, whitespace differences or key reordering will produce a different hash. Always compute the HMAC over the raw body buffer.<\/p>\n\n\n\n Use Return 401 for invalid signatures.<\/strong> Do not return 200 for failed verification. A 401 response tells the sender (and any monitoring systems) that the request was rejected for authentication reasons.<\/p>\n\n\n\n HMAC signing alone does not prevent replay attacks. If an attacker captures a valid signed request, the signature remains valid indefinitely because the payload has not changed. To mitigate this, include a timestamp in the signed payload and enforce a tolerance window on the receiving end.<\/p>\n\n\n\n Most webhook platforms include a timestamp header alongside the signature. The signature is computed over both the timestamp and the body, so an attacker cannot modify the timestamp without invalidating the signature.<\/p>\n\n\n\n A five-minute tolerance window is a reasonable default. It accounts for clock drift between servers and network latency while still blocking replays of old requests. The Standard Webhooks<\/a> specification recommends a similar approach, combining a timestamp with the signature to form a verifiable, time-bound token.<\/p>\n\n\n\n For additional replay protection, you can store processed event IDs and reject duplicates. This provides defense in depth: even if a replayed request somehow falls within the timestamp window, the duplicate ID check catches it.<\/p>\n\n\n\n Signature verification is your primary defense, but IP allowlisting adds a useful secondary layer. If your webhook platform publishes a list of IP addresses that send webhook traffic, you can configure your firewall or application to reject requests from any other source.<\/p>\n\n\n\n IP allowlisting is not a substitute for signature verification. IP addresses can be spoofed at the network layer, and platforms may add new IPs without notice. Treat it as defense in depth, not a standalone mechanism.<\/p>\n\n\n\n Every webhook endpoint should be served over HTTPS. This is non-negotiable. Without TLS, the entire webhook payload (including the signature header) travels in plaintext across the network. A network-level attacker could read, modify, or replay any request.<\/p>\n\n\n\n Most webhook platforms, including Tolinku<\/a>, require HTTPS endpoints and will refuse to deliver events to plain HTTP URLs. If you are developing locally, tools like ngrok<\/a> or localtunnel<\/a> provide HTTPS tunnels for testing.<\/p>\n\n\n\n Beyond basic TLS, consider these additional transport-layer practices:<\/p>\n\n\n\n Webhook secrets should not live forever. Regular rotation limits the damage if a secret is leaked. The challenge is rotating without downtime: if you change the secret and the platform sends a webhook signed with the new secret before your server is updated, verification fails and the event is lost.<\/p>\n\n\n\n The solution is a dual-secret verification window:<\/p>\n\n\n\n A quarterly rotation schedule is a good starting point. If your organization handles sensitive data (financial transactions, health records), consider monthly rotation.<\/p>\n\n\n\n Even with signing in place, several implementation mistakes can undermine your webhook security:<\/p>\n\n\n\n Parsing JSON before verifying.<\/strong> If you use Logging secrets.<\/strong> Webhook secrets should never appear in logs, error messages, or stack traces. Treat them like database passwords. Store them in environment variables or a secrets manager, never in source code.<\/p>\n\n\n\n Ignoring failed verifications.<\/strong> Some implementations log a warning for invalid signatures but still process the event. This defeats the entire purpose of signing. Failed verification must result in a rejected request, every time.<\/p>\n\n\n\n Hardcoding the secret.<\/strong> If the secret is in your source code, it is in your version control history, your CI\/CD logs, and potentially your Docker images. Use environment variables or a service like AWS Secrets Manager<\/a>, HashiCorp Vault<\/a>, or your cloud provider's equivalent.<\/p>\n\n\n\n Skipping verification in development.<\/strong> It is tempting to bypass signature checks in local development. Do not. Use your platform's test mode or generate a local signing secret. Skipping verification in development builds habits that carry into production.<\/p>\n\n\n\n Before deploying your webhook receiver, verify that your implementation correctly rejects invalid signatures. Here is a test script that generates a signed payload and sends it to your local endpoint:<\/p>\n\n\n\n Run this script with the correct secret and confirm you get a 200 response. Then change the secret or modify the body after signing and confirm you get a 401. Both cases need to work correctly.<\/p>\n\n\n\n For more comprehensive testing, tools like Webhook.site<\/a> let you inspect payloads during development, and the Standard Webhooks<\/a> project provides reference implementations you can test against.<\/p>\n\n\n\n A production-grade webhook receiver combines all of these protections into a layered defense:<\/p>\n\n\n\n Each layer addresses a different attack vector. Together, they make your webhook integration resilient against spoofing, tampering, replay attacks, and unauthorized access.<\/p>\n\n\n\n Tolinku's webhook signing documentation<\/a> covers the platform-specific details: which headers are used, how the signing content is structured, and where to find your webhook secret in the dashboard. If you are just getting started with webhooks, the companion article on webhooks and integrations for deep linking<\/a> covers the broader architecture, event types, and integration patterns.<\/p>\n","protected":false},"excerpt":{"rendered":" Secure your webhooks with HMAC signing and verification. Prevent spoofed events, replay attacks, and unauthorized access to your deep link data.<\/p>\n","protected":false},"author":2,"featured_media":1115,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"rank_math_title":"Webhook Security: HMAC Signing and Verification Guide","rank_math_description":"Secure your webhooks with HMAC signing and verification. Prevent spoofed events, replay attacks, and unauthorized access to your deep link data.","rank_math_focus_keyword":"webhook security signing","rank_math_canonical_url":"","rank_math_facebook_title":"","rank_math_facebook_description":"","rank_math_facebook_image":"https:\/\/tolinku.com\/blog\/wp-content\/uploads\/2026\/03\/og-webhook-security-signing.png","rank_math_facebook_image_id":"","rank_math_twitter_title":"","rank_math_twitter_description":"","rank_math_twitter_image":"https:\/\/tolinku.com\/blog\/wp-content\/uploads\/2026\/03\/og-webhook-security-signing.png","footnotes":""},"categories":[15],"tags":[62,218,20,264,69,36,93,61],"class_list":["post-1116","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-engineering","tag-api","tag-authentication","tag-deep-linking","tag-engineering","tag-mobile-development","tag-privacy","tag-security","tag-webhooks"],"_links":{"self":[{"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/posts\/1116","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/comments?post=1116"}],"version-history":[{"count":2,"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/posts\/1116\/revisions"}],"predecessor-version":[{"id":2249,"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/posts\/1116\/revisions\/2249"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/media\/1115"}],"wp:attachment":[{"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/media?parent=1116"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/categories?post=1116"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/tags?post=1116"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"Tolinku](\"https:\/\/tolinku.com\/blog\/wp-content\/uploads\/2026\/03\/platform-webhooks.png\")
\nThe webhooks page with create form, webhook list, and delivery log.<\/em><\/p>\n\n\n\nWhy Webhook Security Matters<\/h2>\n\n\n\n
How HMAC-SHA256 Signing Works<\/h2>\n\n\n\n
\n
X-Webhook-Signature<\/code> or similar).<\/li>\nPlatform Your Server\n | |\n |-- Compute HMAC(secret, body) ------->|\n |-- Send POST with signature header -->|\n | |-- Compute HMAC(secret, body)\n | |-- Compare signatures\n | |-- Accept or reject\n<\/code><\/pre>\n\n\n\nVerifying Webhook Signatures in Node.js<\/h2>\n\n\n\n
const crypto = require('crypto');\nconst express = require('express');\n\nconst app = express();\n\n\/\/ Important: use raw body for signature verification.\n\/\/ JSON parsing alters whitespace and key order, which\n\/\/ changes the hash.\napp.use('\/webhooks', express.raw({ type: 'application\/json' }));\n\nconst WEBHOOK_SECRET = process.env.WEBHOOK_SECRET;\n\nfunction verifySignature(payload, signatureHeader) {\n if (!signatureHeader) {\n return false;\n }\n\n const expectedSignature = crypto\n .createHmac('sha256', WEBHOOK_SECRET)\n .update(payload)\n .digest('hex');\n\n \/\/ Use timingSafeEqual to prevent timing attacks.\n \/\/ Both buffers must be the same length.\n const expected = Buffer.from(expectedSignature, 'hex');\n const received = Buffer.from(signatureHeader, 'hex');\n\n if (expected.length !== received.length) {\n return false;\n }\n\n return crypto.timingSafeEqual(expected, received);\n}\n\napp.post('\/webhooks\/tolinku', (req, res) => {\n const signature = req.headers['x-webhook-signature'];\n\n if (!verifySignature(req.body, signature)) {\n console.warn('Webhook signature verification failed');\n return res.status(401).json({ error: 'Invalid signature' });\n }\n\n \/\/ Signature is valid. Parse and process the event.\n const event = JSON.parse(req.body.toString());\n console.log('Verified event:', event.event);\n\n \/\/ Process the event asynchronously to respond quickly.\n processEvent(event).catch(console.error);\n\n res.status(200).json({ received: true });\n});\n<\/code><\/pre>\n\n\n\ncrypto.timingSafeEqual<\/code>.<\/strong> A naive string comparison (===<\/code>) leaks timing information. An attacker can measure how long the comparison takes to determine how many bytes of the signature are correct, then brute-force the rest. The timingSafeEqual<\/code><\/a> function takes constant time regardless of where the mismatch occurs.<\/p>\n\n\n\nPreventing Replay Attacks with Timestamps<\/h2>\n\n\n\n
const TIMESTAMP_TOLERANCE_MS = 5 * 60 * 1000; \/\/ 5 minutes\n\nfunction verifySignatureWithTimestamp(payload, signatureHeader, timestampHeader) {\n if (!signatureHeader || !timestampHeader) {\n return false;\n }\n\n \/\/ Check timestamp freshness.\n const timestamp = parseInt(timestampHeader, 10);\n const now = Date.now();\n\n if (Math.abs(now - timestamp) > TIMESTAMP_TOLERANCE_MS) {\n console.warn('Webhook timestamp outside tolerance window');\n return false;\n }\n\n \/\/ The signed content includes the timestamp to prevent\n \/\/ an attacker from replacing the timestamp on a captured\n \/\/ request.\n const signedContent = `${timestampHeader}.${payload.toString()}`;\n\n const expectedSignature = crypto\n .createHmac('sha256', WEBHOOK_SECRET)\n .update(signedContent)\n .digest('hex');\n\n const expected = Buffer.from(expectedSignature, 'hex');\n const received = Buffer.from(signatureHeader, 'hex');\n\n if (expected.length !== received.length) {\n return false;\n }\n\n return crypto.timingSafeEqual(expected, received);\n}\n<\/code><\/pre>\n\n\n\nIP Allowlisting<\/h2>\n\n\n\n
const ALLOWED_IPS = new Set([\n \/\/ Replace with your platform's published webhook IPs.\n '203.0.113.10',\n '203.0.113.11',\n '198.51.100.5',\n]);\n\nfunction isAllowedIP(req) {\n const clientIP = req.headers['x-forwarded-for']?.split(',')[0].trim()\n || req.socket.remoteAddress;\n return ALLOWED_IPS.has(clientIP);\n}\n\napp.post('\/webhooks\/tolinku', (req, res) => {\n if (!isAllowedIP(req)) {\n return res.status(403).json({ error: 'Forbidden' });\n }\n\n \/\/ Continue with signature verification...\n});\n<\/code><\/pre>\n\n\n\nTLS and HTTPS Requirements<\/h2>\n\n\n\n
\n
Secret Rotation<\/h2>\n\n\n\n
\n
const WEBHOOK_SECRETS = [\n process.env.WEBHOOK_SECRET_CURRENT,\n process.env.WEBHOOK_SECRET_PREVIOUS,\n].filter(Boolean);\n\nfunction verifySignatureMultiSecret(payload, signatureHeader) {\n if (!signatureHeader) {\n return false;\n }\n\n const received = Buffer.from(signatureHeader, 'hex');\n\n for (const secret of WEBHOOK_SECRETS) {\n const expectedSignature = crypto\n .createHmac('sha256', secret)\n .update(payload)\n .digest('hex');\n\n const expected = Buffer.from(expectedSignature, 'hex');\n\n if (expected.length === received.length\n && crypto.timingSafeEqual(expected, received)) {\n return true;\n }\n }\n\n return false;\n}\n<\/code><\/pre>\n\n\n\nCommon Vulnerabilities to Avoid<\/h2>\n\n\n\n
express.json()<\/code> middleware on your webhook route, the raw body is discarded. You end up computing the HMAC over a re-serialized version of the payload, which will not match the original signature. Always use express.raw()<\/code> for webhook routes.<\/p>\n\n\n\nTesting Signature Verification<\/h2>\n\n\n\n
const crypto = require('crypto');\nconst http = require('http');\n\nconst secret = 'your-test-secret';\nconst body = JSON.stringify({\n event: 'link.clicked',\n timestamp: new Date().toISOString(),\n data: { link_id: 'lnk_test123', url: 'https:\/\/example.com\/test' }\n});\n\nconst signature = crypto\n .createHmac('sha256', secret)\n .update(body)\n .digest('hex');\n\nconst options = {\n hostname: 'localhost',\n port: 3000,\n path: '\/webhooks\/tolinku',\n method: 'POST',\n headers: {\n 'Content-Type': 'application\/json',\n 'X-Webhook-Signature': signature,\n 'X-Webhook-Event': 'link.clicked',\n 'User-Agent': 'Tolinku\/1.0',\n },\n};\n\nconst req = http.request(options, (res) => {\n console.log(`Status: ${res.statusCode}`);\n});\n\nreq.write(body);\nreq.end();\n<\/code><\/pre>\n\n\n\nPutting It All Together<\/h2>\n\n\n\n
\n