ToolypetMCP
intermediate4 minutessecurity

HMAC Webhook Security Chain

Implement complete webhook security: generate shared secret, sign payloads, and verify signatures.

hmacwebhooksignatureverificationapi

このレシピの使いどころ

Implement webhook security like Stripe, GitHub, and Shopify use. HMAC signing ensures webhook payloads are authentic and untampered.

ステップ

1

Secret Generator

このツールを試す

Create shared secret

プロンプト:Generate a 256-bit hex webhook signing secret
2

HMAC Generator

このツールを試す

Sign the webhook payload

プロンプト:Generate HMAC-SHA256 of payload '{"event":"payment.completed","amount":99.99}' using the secret
3

HMAC Generator

このツールを試す

Verify signature match

プロンプト:Regenerate HMAC with the same payload and secret to verify signatures match (simulating receiver)
4

Timestamp Converter

このツールを試す

Add replay protection

プロンプト:Include a timestamp in the signature to prevent replay attacks — show current Unix timestamp

よくある質問

How do I prevent webhook replay attacks?

Include a timestamp in the signed payload. Reject requests older than 5 minutes. Some implementations also include a nonce (unique ID per request) to prevent exact replays.

What if the HMAC doesn't match?

Return 401 Unauthorized and log the attempt. Common causes: wrong secret, payload modification by middleware (whitespace, encoding), or using the wrong HMAC algorithm.

関連レシピ

Secure Password Workflow

Generate a strong password, verify its strength, and hash it for storage — a complete password security pipeline.

Web Security Header Audit

Audit your website's security headers, generate a CSP policy, evaluate it, and configure CORS.

JWT Authentication Setup

Set up JWT-based authentication: generate tokens, create signing keys, and implement TOTP for 2FA.

API Security Hardening

Harden your API with HMAC request signing, secure secrets, and SRI for client-side integrity.

すべてのレシピに戻る