2 min read
Enforce transport and auth
Only accept HTTPS. Verify the HMAC signature before parsing, and reject timestamps outside the 300-second window to stop replays.
Protect the secret
Store the whsec_ secret in a secrets manager, never in source or logs. Rotate it immediately if it may have leaked.
Minimise exposure
Subscribe to only the event types you handle, run the endpoint on a dedicated path, and rate-limit it yourself as defence-in-depth. Return generic errors — do not leak internal detail in the response body.
Frequently asked questions
Is the webhook body encrypted?
It is protected in transit by HTTPS. The signature proves integrity and origin, not confidentiality — which is exactly why HTTPS is mandatory.
What is the single most important control?
Signature verification over the raw body with a fresh-timestamp check. Without it, anyone who finds your URL can POST fake events.
Funding for UK limited companies
Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.