Documentation Index
Fetch the complete documentation index at: https://docs.killb.com/llms.txt
Use this file to discover all available pages before exploring further.
签名验证
始终使用 HMAC SHA-256 验证 webhook 签名:
const crypto = require('crypto');
const verifyWebhookSignature = (payload, signature, secret) => {
const expectedSignature = crypto
.createHmac('sha256', secret)
.update(payload)
.digest('hex');
// 使用恒定时间比较
return crypto.timingSafeEqual(
Buffer.from(signature),
Buffer.from(expectedSignature)
);
};
app.post('/webhooks/killb', express.raw({type: 'application/json'}), (req, res) => {
const signature = req.headers['x-signature-sha256'];
const payload = req.body.toString();
if (!verifyWebhookSignature(payload, signature, WEBHOOK_SECRET)) {
return res.status(401).json({ error: 'Invalid signature' });
}
// 处理 webhook
const event = JSON.parse(payload);
processEvent(event);
res.status(200).json({ received: true });
});
安全最佳实践
始终对 webhook 端点使用 HTTPS
使用至少 32 个字符的随机密钥
永远不要跳过签名验证
防止 webhook 泛滥
下一步
