Webhook Security
Webhook security encompasses the techniques used to protect webhook endpoints from spoofing, tampering, replay attacks, and server-side request forgery, ensuring that incoming webhook payloads are authentic and safe to process.
Webhooks are HTTP callbacks that allow one service to notify another when an event occurs. Unlike traditional APIs where the client polls for updates, webhooks push data to a registered URL in real time. While this pattern is efficient, it introduces unique security challenges because the receiving server must accept incoming requests from external sources and trust the data within them.
The most critical webhook security measure is payload signature verification. The sending service signs each webhook payload using a shared secret (typically with HMAC-SHA256), and the receiving server verifies the signature before processing the payload. This prevents attackers from sending forged webhook events. Major providers like Stripe, GitHub, and Twilio all implement this pattern with slight variations in header naming and signing algorithms.
Additional webhook security controls include enforcing HTTPS for all webhook URLs to prevent eavesdropping, implementing timestamp-based replay protection by rejecting payloads older than a defined window (typically 5 minutes), validating the payload schema to prevent injection attacks, processing webhooks asynchronously to avoid timeout-based denial of service, allowlisting source IP addresses when the provider publishes them, and implementing idempotency to safely handle duplicate deliveries. Webhook endpoints should also be protected against SSRF by validating that response actions do not make requests to internal network resources based on attacker-controlled data in the webhook payload.