Recipe

Secure a webhook endpoint

A webhook endpoint is an inbound door — lock it. Enforce HTTPS, verify every signature over the raw body, reject stale timestamps to blunt replay, keep the signing secret out of logs, and subscribe to only the events you handle.

2 min read

HTTPSNon-negotiable
Verify + freshnessEvery request
Secret hygieneNever log it

Enforce transport and auth

Only accept HTTPS. Verify the HMAC signature before parsing, and reject timestamps outside the 300-second window to stop replays.

Protect the secret

Store the whsec_ secret in a secrets manager, never in source or logs. Rotate it immediately if it may have leaked.

Minimise exposure

Subscribe to only the event types you handle, run the endpoint on a dedicated path, and rate-limit it yourself as defence-in-depth. Return generic errors — do not leak internal detail in the response body.

Frequently asked questions

Is the webhook body encrypted?

It is protected in transit by HTTPS. The signature proves integrity and origin, not confidentiality — which is exactly why HTTPS is mandatory.

What is the single most important control?

Signature verification over the raw body with a fresh-timestamp check. Without it, anyone who finds your URL can POST fake events.

Funding for UK limited companies

Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.