Webhook signature verification (timing-safe compare)

9519 views

                  import crypto from 'node:crypto';

export function timingSafeEqual(a: string, b: string) {
  const ab = Buffer.from(a);
  const bb = Buffer.from(b);
  if (ab.length !== bb.length) return false;
  return crypto.timingSafeEqual(ab, bb);
}

export function verifyHmacSha256(rawBody: Buffer, secret: string, expected: string) {
  const computed = crypto.createHmac('sha256', secret).update(rawBody).digest('hex');
  return timingSafeEqual(computed, expected);
}

For webhooks, I assume the internet is hostile by default. I don’t trust that a request ‘looks like’ it came from Stripe/GitHub/etc; I verify the signature over the raw request body and use crypto.timingSafeEqual to avoid leaking information via timing. When signature checks fail, I log just enough metadata to debug (provider, event id, timestamp skew), but never the secret and never the full raw payload. If the provider includes a timestamp header, I enforce a tolerance window to reduce replay risk. This keeps the endpoint safe even when it’s publicly exposed, and it makes failures explainable without turning logs into a liability.

Mateo Rodriguez

More from Mateo Rodriguez

Webhook signature verification (timing-safe compare)

0 Comments

More from Mateo Rodriguez