HMAC Signature Verification
Most webhook providers sign their payloads using HMAC-SHA256 and include the Base64-encoded signature in a request header. To verify, compute HMAC-SHA256 over the raw request body using the shared secret, Base64-encode the result, and compare to the header value. Always use the raw body for verification — not the decoded JSON.
Timing-Safe Comparison
When comparing HMAC signatures, use timing-safe comparison functions (crypto.timingSafeEqual in Node.js, hmac.compare_digest in Python). Regular string comparison short-circuits on the first mismatch, leaking timing information that sophisticated attackers can exploit.
Binary Payloads in Webhooks
Some webhooks include file attachments or image data inline in the JSON payload as Base64-encoded strings. Decode the Base64 string to retrieve the binary data before processing. Always validate the MIME type and size of decoded binary data before passing it to processing libraries.
Webhook Idempotency
Webhook delivery is not guaranteed — providers retry failed deliveries, meaning your endpoint may receive the same event multiple times. Include an idempotency key in your processing logic to safely handle duplicates. Signature verification should happen before any database writes.
Base64 in webhooks serves two purposes: authenticating payloads via HMAC signatures and encoding binary data in JSON. Implement timing-safe signature verification and validate binary data before processing.