> ## Documentation Index
> Fetch the complete documentation index at: https://docs.killb.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Webhook 安全

> 保护您的 webhook 端点

## 签名验证

始终使用 HMAC SHA-256 验证 webhook 签名：

```javascript theme={null}
const crypto = require('crypto');

const verifyWebhookSignature = (payload, signature, secret) => {
  const expectedSignature = crypto
    .createHmac('sha256', secret)
    .update(payload)
    .digest('hex');
  
  // 使用恒定时间比较
  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expectedSignature)
  );
};

app.post('/webhooks/killb', express.raw({type: 'application/json'}), (req, res) => {
  const signature = req.headers['x-signature-sha256'];
  const payload = req.body.toString();
  
  if (!verifyWebhookSignature(payload, signature, WEBHOOK_SECRET)) {
    return res.status(401).json({ error: 'Invalid signature' });
  }
  
  // 处理 webhook
  const event = JSON.parse(payload);
  processEvent(event);
  
  res.status(200).json({ received: true });
});
```

## 安全最佳实践

<AccordionGroup>
  <Accordion title="仅使用 HTTPS" icon="lock">
    始终对 webhook 端点使用 HTTPS
  </Accordion>

  <Accordion title="强密钥" icon="key">
    使用至少 32 个字符的随机密钥
  </Accordion>

  <Accordion title="验证每个请求" icon="shield-check">
    永远不要跳过签名验证
  </Accordion>

  <Accordion title="速率限制" icon="gauge">
    防止 webhook 泛滥
  </Accordion>
</AccordionGroup>

## 下一步

<Card title="事件参考" icon="list" href="/zh/guides/webhooks/events">
  查看所有 webhook 事件
</Card>
