Verify HMAC-SHA256 signatures on incoming webhook deliveries
Every webhook delivery includes an X-Xquik-Signature header containing an HMAC-SHA256 signature. Always verify this signature before processing events.
# Generate a test signature to verify your implementationecho -n '{"test":"payload"}' | openssl dgst -sha256 -hmac "your_webhook_secret" | sed 's/.*= /sha256=/'
Webhook deliveries can be retried on failure, so your endpoint may receive the same event multiple times. The payload does not include a built-in delivery ID, so compute a hash of the raw request body to deduplicate events.
Copy
import { createHash } from "node:crypto";const processedPayloads = new Set();app.post("/webhook", express.raw({ type: "application/json" }), (req, res) => { const signature = req.headers["x-xquik-signature"]; const payload = req.body.toString(); if (!verifyWebhookSignature(payload, signature, WEBHOOK_SECRET)) { return res.status(401).send("Invalid signature"); } // Deduplicate by hashing the raw payload const payloadHash = createHash("sha256").update(payload).digest("hex"); if (processedPayloads.has(payloadHash)) { return res.status(200).send("Already processed"); } processedPayloads.add(payloadHash); const event = JSON.parse(payload); // Process event... handleEvent(event); res.status(200).send("OK");});
The in-memory examples above work for single-process servers. In production, use a persistent store (database, Redis) to track processed payload hashes across restarts and multiple instances.
