ToolypetMCP
intermediate4 minutessecurity

HMAC Webhook Security Chain

Implement complete webhook security: generate shared secret, sign payloads, and verify signatures.

hmacwebhooksignatureverificationapi

何时使用此配方

Implement webhook security like Stripe, GitHub, and Shopify use. HMAC signing ensures webhook payloads are authentic and untampered.

步骤

1

Secret Generator

试用此工具

Create shared secret

提示词:Generate a 256-bit hex webhook signing secret
2

HMAC Generator

试用此工具

Sign the webhook payload

提示词:Generate HMAC-SHA256 of payload '{"event":"payment.completed","amount":99.99}' using the secret
3

HMAC Generator

试用此工具

Verify signature match

提示词:Regenerate HMAC with the same payload and secret to verify signatures match (simulating receiver)
4

Timestamp Converter

试用此工具

Add replay protection

提示词:Include a timestamp in the signature to prevent replay attacks — show current Unix timestamp

常见问题

How do I prevent webhook replay attacks?

Include a timestamp in the signed payload. Reject requests older than 5 minutes. Some implementations also include a nonce (unique ID per request) to prevent exact replays.

What if the HMAC doesn't match?

Return 401 Unauthorized and log the attempt. Common causes: wrong secret, payload modification by middleware (whitespace, encoding), or using the wrong HMAC algorithm.

相关配方

Secure Password Workflow

Generate a strong password, verify its strength, and hash it for storage — a complete password security pipeline.

Web Security Header Audit

Audit your website's security headers, generate a CSP policy, evaluate it, and configure CORS.

JWT Authentication Setup

Set up JWT-based authentication: generate tokens, create signing keys, and implement TOTP for 2FA.

API Security Hardening

Harden your API with HMAC request signing, secure secrets, and SRI for client-side integrity.

返回所有配方