Skip to main content

Signature Verification

Always verify webhook signatures using HMAC SHA-256: 
const crypto = require('crypto');

const verifyWebhookSignature = (payload, signature, secret) => {
  const expectedSignature = crypto
    .createHmac('sha256', secret)
    .update(payload)
    .digest('hex');
  
  // Use constant-time comparison
  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expectedSignature)
  );
};

app.post('/webhooks/killb', express.raw({type: 'application/json'}), (req, res) => {
  const signature = req.headers['x-signature-sha256'];
  const payload = req.body.toString();
  
  if (!verifyWebhookSignature(payload, signature, WEBHOOK_SECRET)) {
    return res.status(401).json({ error: 'Invalid signature' });
  }
  
  // Process webhook
  const event = JSON.parse(payload);
  processEvent(event);
  
  res.status(200).json({ received: true });
});

Security Best Practices

Always use HTTPS for webhook endpoints
Use random secrets with minimum 32 characters
Never skip signature verification
Protect against webhook flooding

Next Steps

Event Reference

View all webhook events