DEV Community: WebhookScout The latest articles on DEV Community by WebhookScout (@webhookscout). https://dev.to/webhookscout https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3874208%2Fd9962485-9b65-4148-8fc8-9e7655f5c5f3.png DEV Community: WebhookScout https://dev.to/webhookscout en Testing Webhook Integrations Locally: A Complete Developer Guide WebhookScout Mon, 13 Apr 2026 15:47:35 +0000 https://dev.to/webhookscout/testing-webhook-integrations-locally-a-complete-developer-guide-3285 https://dev.to/webhookscout/testing-webhook-integrations-locally-a-complete-developer-guide-3285 <p>Testing webhook integrations locally sounds simple until you actually try to build the workflow end to end. You need a public URL, visibility into the raw requests, a way to replay payloads, and enough context to debug signature failures or malformed bodies without redeploying every five minutes.</p> <p>Here is the practical workflow I keep coming back to when I want to test webhook integrations locally without wasting half a day.</p> <h2> 1. Start with a real public endpoint </h2> <p>Most webhook providers cannot send events directly to localhost. You need a public URL that can receive requests and show you exactly what arrived.</p> <p>The minimum requirement is:</p> <ul> <li>a public HTTPS endpoint</li> <li>access to headers, body, query params, and timestamps</li> <li>request history so you can compare multiple attempts</li> </ul> <p>If your tool only shows a raw request once and then loses the data, debugging gets painful fast.</p> <h2> 2. Trigger known test events first </h2> <p>Do not begin with the most complex real workflow. Start with predictable events from providers like Stripe, GitHub, Shopify, or Twilio. That gives you a clean baseline for:</p> <ul> <li>payload shape</li> <li>signature headers</li> <li>retry behavior</li> <li>event ordering</li> </ul> <p>Once the simple test event works, move to real-world edge cases.</p> <h2> 3. Inspect the exact payload before touching app logic </h2> <p>A lot of webhook bugs are not really application bugs. They are mismatches between what you think the provider sends and what it actually sends.</p> <p>Check:</p> <ul> <li>content type</li> <li>nested JSON structure</li> <li>timestamp fields</li> <li>event names</li> <li>signature headers</li> <li>idempotency identifiers</li> </ul> <p>This alone catches a surprising amount of integration friction.</p> <h2> 4. Replay requests instead of constantly re-triggering upstream systems </h2> <p>Replay is one of the highest-leverage features in a webhook workflow. If you can resend the same captured request against your local handler, you can iterate much faster.</p> <p>That matters when you are debugging:</p> <ul> <li>signature verification</li> <li>schema validation</li> <li>timeout issues</li> <li>database write logic</li> <li>retry handling</li> </ul> <p>Without replay, every small fix depends on the upstream provider giving you another event.</p> <h2> 5. Log raw input separately from business logic </h2> <p>Keep a layer that records what arrived before you mutate or normalize it. This makes it much easier to answer:</p> <ul> <li>did the provider send the field?</li> <li>did my parser drop it?</li> <li>did signature verification fail before processing?</li> <li>did I reject a valid event because of my own assumptions?</li> </ul> <h2> 6. Test failure modes on purpose </h2> <p>A webhook flow is not really tested until you have seen how it fails.</p> <p>Try:</p> <ul> <li>invalid signatures</li> <li>stale timestamps</li> <li>duplicate deliveries</li> <li>missing required fields</li> <li>very large payloads</li> <li>slow handler responses</li> </ul> <p>Production problems usually show up in the unhappy path first.</p> <h2> 7. Use tools that make local visibility easy </h2> <p>For local webhook testing, I want immediate visibility into incoming requests and an easy replay path. That is the reason tools like <a href="https://webhookscout.com" rel="noopener noreferrer">WebhookScout</a> are useful during development: you can point a provider at a live endpoint, inspect the request in real time, and replay it while iterating on your local handler.</p> <p>The goal is not just to receive a webhook. The goal is to understand exactly what happened when the integration breaks.</p> <h2> Final thoughts </h2> <p>The best local webhook workflow is the one that shortens the loop between receiving an event and understanding why your code did or did not handle it correctly.</p> <p>If you set up a public endpoint, inspect the raw payload first, preserve request history, and rely on replay for iteration, webhook testing becomes much less chaotic.</p> <p>That alone can save hours every week when you are working with third-party integrations.</p> <p>If you regularly work with Stripe, GitHub, Shopify, or Twilio webhooks, spend a little time building a repeatable local debugging flow. The payoff is immediate.</p> webhooks testing webdev tutorial How to Debug Webhooks Like a Pro: Tools, Tips, and Techniques WebhookScout Mon, 13 Apr 2026 14:14:32 +0000 https://dev.to/webhookscout/how-to-debug-webhooks-like-a-pro-tools-tips-and-techniques-1ffh https://dev.to/webhookscout/how-to-debug-webhooks-like-a-pro-tools-tips-and-techniques-1ffh <p>Webhook security matters because webhook endpoints are public, machine-to-machine entry points into your application. If you trust incoming requests by default, attackers can forge events, replay valid payloads, or flood your handlers until your systems fail in noisy and confusing ways.</p> <p>This guide covers practical webhook security habits you should implement before exposing endpoints in production.</p> <h2> 1. Verify signatures first </h2> <p>If your provider supports signed webhook delivery, verify the signature before you parse or process the payload. Stripe, GitHub, and many others sign payloads with a shared secret. That signature check should be the first gate, not an afterthought.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">crypto</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">crypto</span><span class="dl">'</span><span class="p">);</span> <span class="kd">function</span> <span class="nf">verifyWebhookSignature</span><span class="p">(</span><span class="nx">rawBody</span><span class="p">,</span> <span class="nx">signature</span><span class="p">,</span> <span class="nx">secret</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">expected</span> <span class="o">=</span> <span class="nx">crypto</span> <span class="p">.</span><span class="nf">createHmac</span><span class="p">(</span><span class="dl">'</span><span class="s1">sha256</span><span class="dl">'</span><span class="p">,</span> <span class="nx">secret</span><span class="p">)</span> <span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="nx">rawBody</span><span class="p">,</span> <span class="dl">'</span><span class="s1">utf8</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">digest</span><span class="p">(</span><span class="dl">'</span><span class="s1">hex</span><span class="dl">'</span><span class="p">);</span> <span class="k">return</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">timingSafeEqual</span><span class="p">(</span> <span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">signature</span><span class="p">,</span> <span class="dl">'</span><span class="s1">hex</span><span class="dl">'</span><span class="p">),</span> <span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">expected</span><span class="p">,</span> <span class="dl">'</span><span class="s1">hex</span><span class="dl">'</span><span class="p">)</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h2> 2. Add timestamp validation </h2> <p>A valid signature is not enough if someone can replay an old request. Include timestamp tolerance checks when the provider supports them, and reject stale deliveries.</p> <h2> 3. Rate-limit the endpoint </h2> <p>Webhook endpoints can still be abused even when requests look structurally valid. Apply rate limits and queueing so a flood of webhook traffic does not overwhelm downstream processing.</p> <h2> 4. Validate payload shape </h2> <p>Do not assume fields exist just because the request is signed. Use schema validation and explicit type checks before you touch business logic.</p> <h2> 5. Use HTTPS everywhere </h2> <p>Never accept webhook traffic over insecure transport. Terminate TLS correctly, and make sure secrets are never sent over plaintext connections.</p> <h2> 6. Rotate secrets safely </h2> <p>Support secret rotation without downtime by allowing a short window where both the old and new secret are accepted.</p> <h2> 7. Monitor failures and anomalies </h2> <p>Track signature failures, replay rejections, unusual source patterns, and payload validation errors. Security controls are only useful if you notice when they are firing.</p> <h2> Final thought </h2> <p>Webhook security is not one setting. It is layered discipline: authenticate the sender, validate freshness, constrain traffic, validate structure, and monitor behavior.</p> <p>When you are implementing or troubleshooting webhook security, it helps to see exactly what headers and payloads are hitting your endpoint. <a href="https://www.webhookscout.com" rel="noopener noreferrer">WebhookScout</a> lets you inspect incoming webhook requests in real time so you can debug verification logic, payload structure, and retry behavior without guessing.</p> webhooks webdev debugging devtools Webhook Security Best Practices: Protecting Your Endpoints in Production WebhookScout Sun, 12 Apr 2026 12:28:08 +0000 https://dev.to/webhookscout/webhook-security-best-practices-protecting-your-endpoints-in-production-50lc https://dev.to/webhookscout/webhook-security-best-practices-protecting-your-endpoints-in-production-50lc <p>Webhook Security Best Practices: Protecting Your Endpoints in Production</p> <p>Webhooks are powerful — they let external services push real-time data to your application without polling. But every webhook endpoint you expose is an open door into your system. Without proper security, attackers can forge payloads, replay requests, or overwhelm your servers.</p> <p>This guide covers seven battle-tested practices for securing webhook endpoints in production, with practical Node.js examples you can implement today.</p> <h2> 1. Verify Webhook Signatures (HMAC-SHA256) </h2> <p>The single most important security measure. Most webhook providers (Stripe, GitHub, Shopify) sign payloads with a shared secret using HMAC-SHA256. <strong>Always verify these signatures before processing any payload.</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">crypto</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">crypto</span><span class="dl">'</span><span class="p">);</span> <span class="kd">function</span> <span class="nf">verifyWebhookSignature</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">secret</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">signature</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">x-webhook-signature</span><span class="dl">'</span><span class="p">];</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">signature</span><span class="p">)</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">payload</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">expectedSig</span> <span class="o">=</span> <span class="nx">crypto</span> <span class="p">.</span><span class="nf">createHmac</span><span class="p">(</span><span class="dl">'</span><span class="s1">sha256</span><span class="dl">'</span><span class="p">,</span> <span class="nx">secret</span><span class="p">)</span> <span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="nx">payload</span><span class="p">,</span> <span class="dl">'</span><span class="s1">utf8</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">digest</span><span class="p">(</span><span class="dl">'</span><span class="s1">hex</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// Use timingSafeEqual to prevent timing attacks</span> <span class="k">return</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">timingSafeEqual</span><span class="p">(</span> <span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">signature</span><span class="p">,</span> <span class="dl">'</span><span class="s1">hex</span><span class="dl">'</span><span class="p">),</span> <span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">expectedSig</span><span class="p">,</span> <span class="dl">'</span><span class="s1">hex</span><span class="dl">'</span><span class="p">)</span> <span class="p">);</span> <span class="p">}</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/webhooks/incoming</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nf">verifyWebhookSignature</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">WEBHOOK_SECRET</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Invalid signature</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="nf">handleWebhook</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">200</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">received</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <p><strong>Critical detail:</strong> Use <code>crypto.timingSafeEqual()</code> instead of <code>===</code> for signature comparison. Simple string comparison leaks timing information that attackers can exploit to guess valid signatures byte by byte.</p> <blockquote> <p><strong>Tip:</strong> When developing locally, tools like <a href="https://webhookscout.com" rel="noopener noreferrer">WebhookScout</a> let you inspect incoming webhook headers and payloads in real time — making it easy to see exactly what signature format a provider sends before you write verification logic.</p> </blockquote> <h2> 2. Prevent Replay Attacks with Timestamps </h2> <p>Even with valid signatures, an attacker who intercepts a legitimate webhook can replay it later. Defend against this by checking the request timestamp:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">function</span> <span class="nf">isRequestFresh</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">maxAgeSeconds</span> <span class="o">=</span> <span class="mi">300</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">timestamp</span> <span class="o">=</span> <span class="nf">parseInt</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">x-webhook-timestamp</span><span class="dl">'</span><span class="p">],</span> <span class="mi">10</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">timestamp</span><span class="p">)</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">now</span> <span class="o">=</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">floor</span><span class="p">(</span><span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">/</span> <span class="mi">1000</span><span class="p">);</span> <span class="k">return</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">abs</span><span class="p">(</span><span class="nx">now</span> <span class="o">-</span> <span class="nx">timestamp</span><span class="p">)</span> <span class="o">&lt;=</span> <span class="nx">maxAgeSeconds</span><span class="p">;</span> <span class="p">}</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/webhooks/incoming</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nf">isRequestFresh</span><span class="p">(</span><span class="nx">req</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">408</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Request too old</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nf">verifyWebhookSignature</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">WEBHOOK_SECRET</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Invalid signature</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="nf">handleWebhook</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">200</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">received</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <p>For stronger protection, combine timestamps with a <strong>nonce</strong> (unique request ID). Store processed nonces in Redis with a TTL matching your timestamp window:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">redis</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">redis</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">client</span> <span class="o">=</span> <span class="nx">redis</span><span class="p">.</span><span class="nf">createClient</span><span class="p">();</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">isDuplicate</span><span class="p">(</span><span class="nx">requestId</span><span class="p">,</span> <span class="nx">ttlSeconds</span> <span class="o">=</span> <span class="mi">300</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">key</span> <span class="o">=</span> <span class="s2">`webhook:nonce:</span><span class="p">${</span><span class="nx">requestId</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">exists</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nf">exists</span><span class="p">(</span><span class="nx">key</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">exists</span><span class="p">)</span> <span class="k">return</span> <span class="kc">true</span><span class="p">;</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nf">setEx</span><span class="p">(</span><span class="nx">key</span><span class="p">,</span> <span class="nx">ttlSeconds</span><span class="p">,</span> <span class="dl">'</span><span class="s1">1</span><span class="dl">'</span><span class="p">);</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h2> 3. IP Allowlisting </h2> <p>If your webhook provider publishes their IP ranges, restrict incoming requests to only those addresses:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">ALLOWED_IPS</span> <span class="o">=</span> <span class="p">[</span> <span class="dl">'</span><span class="s1">192.30.252.0/22</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// Example: GitHub webhook IPs</span> <span class="dl">'</span><span class="s1">140.82.112.0/20</span><span class="dl">'</span><span class="p">,</span> <span class="p">];</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">isInSubnet</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">is-in-subnet</span><span class="dl">'</span><span class="p">);</span> <span class="kd">function</span> <span class="nf">ipAllowlist</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">clientIP</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">x-forwarded-for</span><span class="dl">'</span><span class="p">]?.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">,</span><span class="dl">'</span><span class="p">)[</span><span class="mi">0</span><span class="p">]?.</span><span class="nf">trim</span><span class="p">()</span> <span class="o">||</span> <span class="nx">req</span><span class="p">.</span><span class="nx">socket</span><span class="p">.</span><span class="nx">remoteAddress</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">allowed</span> <span class="o">=</span> <span class="nx">ALLOWED_IPS</span><span class="p">.</span><span class="nf">some</span><span class="p">(</span><span class="nx">range</span> <span class="o">=&gt;</span> <span class="nf">isInSubnet</span><span class="p">(</span><span class="nx">clientIP</span><span class="p">,</span> <span class="nx">range</span><span class="p">));</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">allowed</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">403</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Forbidden</span><span class="dl">'</span> <span class="p">});</span> <span class="nf">next</span><span class="p">();</span> <span class="p">}</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/webhooks/github</span><span class="dl">'</span><span class="p">,</span> <span class="nx">ipAllowlist</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">handleWebhook</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">200</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">received</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <p><strong>Caveat:</strong> IP ranges change. Automate fetching them — GitHub publishes theirs at <code>https://api.github.com/meta</code>.</p> <h2> 4. Rate Limiting </h2> <p>Even authenticated webhooks can overwhelm your system. Apply rate limiting:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">rateLimit</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express-rate-limit</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">webhookLimiter</span> <span class="o">=</span> <span class="nf">rateLimit</span><span class="p">({</span> <span class="na">windowMs</span><span class="p">:</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">,</span> <span class="na">max</span><span class="p">:</span> <span class="mi">100</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Too many requests</span><span class="dl">'</span> <span class="p">},</span> <span class="na">standardHeaders</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">legacyHeaders</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/webhooks/incoming</span><span class="dl">'</span><span class="p">,</span> <span class="nx">webhookLimiter</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">handleWebhook</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">200</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">received</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <h2> 5. Validate and Sanitize Payloads </h2> <p>Never trust webhook payloads blindly. Validate structure and types:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">Ajv</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">ajv</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">ajv</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Ajv</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">webhookSchema</span> <span class="o">=</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">object</span><span class="dl">'</span><span class="p">,</span> <span class="na">properties</span><span class="p">:</span> <span class="p">{</span> <span class="na">event</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">string</span><span class="dl">'</span><span class="p">,</span> <span class="na">enum</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">order.created</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">order.updated</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">order.cancelled</span><span class="dl">'</span><span class="p">]</span> <span class="p">},</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">object</span><span class="dl">'</span><span class="p">,</span> <span class="na">properties</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">string</span><span class="dl">'</span><span class="p">,</span> <span class="na">maxLength</span><span class="p">:</span> <span class="mi">64</span> <span class="p">},</span> <span class="na">amount</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">number</span><span class="dl">'</span><span class="p">,</span> <span class="na">minimum</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="na">maximum</span><span class="p">:</span> <span class="mi">1000000</span> <span class="p">},</span> <span class="na">currency</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">string</span><span class="dl">'</span><span class="p">,</span> <span class="na">pattern</span><span class="p">:</span> <span class="dl">'</span><span class="s1">^[A-Z]{3}$</span><span class="dl">'</span> <span class="p">},</span> <span class="p">},</span> <span class="na">required</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">id</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">amount</span><span class="dl">'</span><span class="p">],</span> <span class="p">},</span> <span class="p">},</span> <span class="na">required</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">event</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">data</span><span class="dl">'</span><span class="p">],</span> <span class="na">additionalProperties</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">validate</span> <span class="o">=</span> <span class="nx">ajv</span><span class="p">.</span><span class="nf">compile</span><span class="p">(</span><span class="nx">webhookSchema</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/webhooks/orders</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nf">validate</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Invalid payload</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="nf">handleWebhook</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">200</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">received</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <h2> 6. Enforce HTTPS and Use Webhook Secrets Wisely </h2> <p><strong>HTTPS is non-negotiable.</strong> Without TLS, signatures and secrets are visible in transit.</p> <p>For your webhook secrets:</p> <ul> <li> <strong>Never hardcode them.</strong> Use environment variables or a secrets manager.</li> <li><strong>Use unique secrets per webhook source.</strong></li> <li> <strong>Minimum 32 characters</strong> of cryptographically random data. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">secret</span> <span class="o">=</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">randomBytes</span><span class="p">(</span><span class="mi">32</span><span class="p">).</span><span class="nf">toString</span><span class="p">(</span><span class="dl">'</span><span class="s1">hex</span><span class="dl">'</span><span class="p">);</span> </code></pre> </div> <h2> 7. Rotate Secrets Without Downtime </h2> <p>Support dual secrets for zero-downtime rotation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">function</span> <span class="nf">verifyWithRotation</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">secrets</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">signature</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">x-webhook-signature</span><span class="dl">'</span><span class="p">];</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">signature</span><span class="p">)</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">payload</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">);</span> <span class="k">return</span> <span class="nx">secrets</span><span class="p">.</span><span class="nf">some</span><span class="p">(</span><span class="nx">secret</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">expected</span> <span class="o">=</span> <span class="nx">crypto</span> <span class="p">.</span><span class="nf">createHmac</span><span class="p">(</span><span class="dl">'</span><span class="s1">sha256</span><span class="dl">'</span><span class="p">,</span> <span class="nx">secret</span><span class="p">)</span> <span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="nx">payload</span><span class="p">,</span> <span class="dl">'</span><span class="s1">utf8</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">digest</span><span class="p">(</span><span class="dl">'</span><span class="s1">hex</span><span class="dl">'</span><span class="p">);</span> <span class="k">try</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">timingSafeEqual</span><span class="p">(</span> <span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">signature</span><span class="p">,</span> <span class="dl">'</span><span class="s1">hex</span><span class="dl">'</span><span class="p">),</span> <span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">expected</span><span class="p">,</span> <span class="dl">'</span><span class="s1">hex</span><span class="dl">'</span><span class="p">)</span> <span class="p">);</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">}</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">secrets</span> <span class="o">=</span> <span class="p">[</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">WEBHOOK_SECRET_CURRENT</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">WEBHOOK_SECRET_PREVIOUS</span><span class="p">,</span> <span class="p">].</span><span class="nf">filter</span><span class="p">(</span><span class="nb">Boolean</span><span class="p">);</span> </code></pre> </div> <h2> Putting It All Together </h2> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/webhooks/provider</span><span class="dl">'</span><span class="p">,</span> <span class="nx">ipAllowlist</span><span class="p">,</span> <span class="nx">webhookLimiter</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nf">isRequestFresh</span><span class="p">(</span><span class="nx">req</span><span class="p">))</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">408</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Stale request</span><span class="dl">'</span> <span class="p">});</span> <span class="nf">next</span><span class="p">();</span> <span class="p">},</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">reqId</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">x-request-id</span><span class="dl">'</span><span class="p">];</span> <span class="k">if </span><span class="p">(</span><span class="nx">reqId</span> <span class="o">&amp;&amp;</span> <span class="k">await</span> <span class="nf">isDuplicate</span><span class="p">(</span><span class="nx">reqId</span><span class="p">))</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">409</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Duplicate</span><span class="dl">'</span> <span class="p">});</span> <span class="nf">next</span><span class="p">();</span> <span class="p">},</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nf">verifyWithRotation</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">secrets</span><span class="p">))</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Invalid signature</span><span class="dl">'</span> <span class="p">});</span> <span class="nf">next</span><span class="p">();</span> <span class="p">},</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nf">validate</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">))</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Invalid payload</span><span class="dl">'</span> <span class="p">});</span> <span class="nf">handleWebhook</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">200</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">received</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="p">}</span> <span class="p">);</span> </code></pre> </div> <h2> Quick Reference </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Practice</th> <th>Protects Against</th> </tr> </thead> <tbody> <tr> <td>HMAC signature verification</td> <td>Forged payloads</td> </tr> <tr> <td>Timing-safe comparison</td> <td>Timing attacks</td> </tr> <tr> <td>Timestamp validation</td> <td>Replay attacks</td> </tr> <tr> <td>Nonce deduplication</td> <td>Duplicate processing</td> </tr> <tr> <td>IP allowlisting</td> <td>Unauthorized sources</td> </tr> <tr> <td>Rate limiting</td> <td>DDoS, flood attacks</td> </tr> <tr> <td>Schema validation</td> <td>Injection, malformed data</td> </tr> <tr> <td>HTTPS</td> <td>Eavesdropping, MITM</td> </tr> <tr> <td>Secret rotation</td> <td>Compromised credentials</td> </tr> </tbody> </table></div> <h2> Final Thoughts </h2> <p>Webhook security is not a single feature — it is a stack. Start with signature verification, then layer on timestamp checks, rate limiting, and schema validation.</p> <p>When debugging your security implementation, seeing exact headers and payloads arriving at your endpoint is invaluable. <a href="https://webhookscout.com" rel="noopener noreferrer">WebhookScout</a> gives you real-time visibility into what is hitting your endpoints during development.</p> <p>Build the habit of treating every webhook endpoint like a public API: authenticate, validate, rate-limit, and monitor.</p> security webhooks webdev tutorial