ToolypetMCP
intermediate4 minutessecurity

HMAC Webhook Security Chain

Implement complete webhook security: generate shared secret, sign payloads, and verify signatures.

hmacwebhooksignatureverificationapi

이 레시피 활용 시점

Implement webhook security like Stripe, GitHub, and Shopify use. HMAC signing ensures webhook payloads are authentic and untampered.

단계

1

Secret Generator

이 도구 사용해보기

Create shared secret

프롬프트:Generate a 256-bit hex webhook signing secret
2

HMAC Generator

이 도구 사용해보기

Sign the webhook payload

프롬프트:Generate HMAC-SHA256 of payload '{"event":"payment.completed","amount":99.99}' using the secret
3

HMAC Generator

이 도구 사용해보기

Verify signature match

프롬프트:Regenerate HMAC with the same payload and secret to verify signatures match (simulating receiver)
4

Timestamp Converter

이 도구 사용해보기

Add replay protection

프롬프트:Include a timestamp in the signature to prevent replay attacks — show current Unix timestamp

자주 묻는 질문

How do I prevent webhook replay attacks?

Include a timestamp in the signed payload. Reject requests older than 5 minutes. Some implementations also include a nonce (unique ID per request) to prevent exact replays.

What if the HMAC doesn't match?

Return 401 Unauthorized and log the attempt. Common causes: wrong secret, payload modification by middleware (whitespace, encoding), or using the wrong HMAC algorithm.

관련 레시피

Secure Password Workflow

Generate a strong password, verify its strength, and hash it for storage — a complete password security pipeline.

Web Security Header Audit

Audit your website's security headers, generate a CSP policy, evaluate it, and configure CORS.

JWT Authentication Setup

Set up JWT-based authentication: generate tokens, create signing keys, and implement TOTP for 2FA.

API Security Hardening

Harden your API with HMAC request signing, secure secrets, and SRI for client-side integrity.

전체 레시피로 돌아가기