Back to Blog

What is a Webhook Signature and Why Must You Validate It?

March 14, 2026 5 min read

Webhooks are the connective tissue of the modern internet. They allow applications to communicate in real-time, pushing data from one system to another as events happen. However, because webhooks are essentially open HTTP POST endpoints, they are inherently vulnerable to spoofing and replay attacks if left unsecured.

This is where webhook signatures come in.

The Anatomy of a Webhook Attack

Imagine you have an e-commerce platform that relies on a payment gateway like Stripe. When a user successfully pays, Stripe sends a webhook to your server to fulfill the order.

If your endpoint doesn't verify the origin of that request, an attacker could discover your webhook URL and send a fake payload saying "Order #12345 paid in full." Your system, blindly trusting the payload, ships the goods. You've just been robbed via API.

What is a Webhook Signature?

A webhook signature is a cryptographic hash generated by the sender (e.g., Stripe, GitHub, Twilio) using the payload body and a shared secret key. This signature is typically sent in an HTTP header (like `Stripe-Signature` or `X-Hub-Signature-256`).

When your server receives the webhook, it must: 1. Take the incoming raw payload body. 2. Hash it using the exact same algorithm and the shared secret key (which only you and the sender know). 3. Compare the resulting hash with the signature provided in the header.

If they match, the payload is authentic and hasn't been tampered with. If they don't, the request is either forged or corrupted, and you should reject it with an HTTP 401 or 403 status.

Why Validation is Non-Negotiable

1. Prevent Forgery: As demonstrated, without validation, anyone can hit your endpoint with arbitrary data. 2. Ensure Data Integrity: Even if a request comes from the right source, the payload could be intercepted and altered in transit (Man-in-the-Middle). The signature ensures the payload exactly matches what the sender transmitted. 3. Mitigate Replay Attacks: Many modern webhook signatures include a timestamp. By validating the signature and checking that the timestamp is within a few minutes of the current time, you prevent attackers from capturing a valid request and sending it repeatedly.

Best Practices for Signature Validation

* Always use raw payloads: Middleware (like Express `body-parser` in Node.js) often parses and modifies the incoming JSON. Cryptographic hashing requires the exact, byte-for-byte raw string. Always compute the hash against the raw body. * Use constant-time string comparison: When comparing the computed hash with the header hash, use a secure, constant-time comparison function (like `crypto.timingSafeEqual` in Node.js). Regular string comparison (`===`) fails fast on the first mismatched character, allowing attackers to guess the signature via timing attacks. * Rotate secrets securely: If you suspect your webhook secret has been compromised, roll it immediately.

Conclusion

At OpSecForge, we believe security should never be an afterthought. Validating webhook signatures is a foundational operational security practice. It transforms a public, vulnerable endpoint into a secure, verifiable channel for system communication.