Webhook Signature Verification (HMAC-SHA256) in Node, Python, Ruby — 2026 Guide
This article provides a comprehensive guide to implementing HMAC-SHA256 webhook signature verification in Node.js, Python, and Ruby, emphasizing the importance of security in validating incoming webhook requests. It highlights common implementation mistakes such as verifying after body parsing and using insecure comparison operators. The guide offers code examples and best practices to prevent attacks like replay and timing attacks across platforms like Stripe, GitHub, and Slack.
- ▪Webhook signature verification prevents unauthorized POST requests from triggering sensitive actions like refunds or account creation.
- ▪A common error is verifying the signature after parsing the JSON body, which alters the raw data and causes mismatches.
- ▪Using constant-time comparison functions like crypto.timingSafeEqual or hmac.compare_digest is essential to prevent timing attacks.
- ▪Each environment and endpoint should use a unique signing secret stored in environment variables, not in source code.
- ▪The verification process requires the raw request body, HMAC-SHA256 computation with the secret, proper encoding, and secure header comparison.
Opening excerpt (first ~120 words) tap to expand
try { if(localStorage) { let currentUser = localStorage.getItem('current_user'); if (currentUser) { currentUser = JSON.parse(currentUser); if (currentUser.id === 3834635) { document.getElementById('article-show-container').classList.add('current-user-is-article-author'); } } } } catch (e) { console.error(e); } ShotaTanikawa Posted on Apr 29 • Originally published at hookray.com Webhook Signature Verification (HMAC-SHA256) in Node, Python, Ruby — 2026 Guide #webhooks #node #python #security I review a lot of webhook handlers. Roughly 3 out of 5 either have a subtle signature-verification bug — or someone disabled verification entirely "to make it work." Both leave a public POST endpoint that anyone with the URL can fire fake events at.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at DEV.to (Top).
Discussion
0 commentsMore from DEV.to (Top)
