Webhook overview
Verifying Webhook Signatures
X-UpPromote-Signature: <signature>1.
2.
3.
4.
Example Implementations
PHP (Laravel Middleware)
public function handle(Request $request, Closure $next): mixed
{
$secret = 'your-subscription-secret'; // Replace with your secret
$payload = $request->getContent(); // Raw request body
$receivedSignature = $request->header('X-UpPromote-Signature');
$calculatedSignature = hash_hmac('sha256', $payload, $secret);
if (hash_equals($receivedSignature, $calculatedSignature)) {
logger('Webhook valid');
return $next($request);
} else {
logger('Webhook invalid. Received: ' . $receivedSignature . ', Calculated: ' . $calculatedSignature);
return response()->json(['error' => 'Invalid signature'], 401);
}
}Node.js (Express)
Python (Flask)
import hmac
import hashlib
from flask import request, abort
def verify_webhook():
secret = b'your-subscription-secret' # Replace with your secret
payload = request.get_data() # Raw request body
received_signature = request.headers.get('X-UpPromote-Signature')
calculated_signature = hmac.new(secret, payload, hashlib.sha256).hexdigest()
if hmac.compare_digest(received_signature, calculated_signature):
print("Webhook valid")
return True
else:
print("Webhook invalid")
abort(401, "Invalid signature")Ruby (Sinatra)
require 'openssl'
before '/webhook' do
secret = 'your-subscription-secret' # Replace with your secret
payload = request.body.read
received_signature = request.env['HTTP_X_SIGNATURE']
calculated_signature = OpenSSL::HMAC.hexdigest("SHA256", secret, payload)
halt 401, "Invalid signature" unless Rack::Utils.secure_compare(received_signature, calculated_signature)
endKey Notes
Best Practices
1. Always use HTTPS
Do not accept webhook requests over plain HTTP.
2. Use the raw request body
3. Time-safe comparison
4. Validate headers
5. Respond quickly
6. Retry on failure
7. Log failures securely
8. Rotate secrets when needed
9. Restrict IPs (optional)
10. Idempotency handling
11. Versioning
Modified at 2025-10-06 07:11:20