Technolila Webtools
16 views

Computed Truth

Webhooks are asynchronous "fire-and-forget" events. Reliability depends on **Idempotency keys** (to handle duplicate deliveries) and **HMAC Signatures** (to verify the sender). A valid JSON structure does not guarantee a valid webhook; the cryptographic signature is the only proof of origin.

Webhook Payload Validator & Formatter

Validate & Debug Payload

The Technical Proof

Reliable webhook ingestion requires a strict pipeline:

  1. Transport Security: Always use HTTPS.
  2. Signature Verification: Calculate `HMAC(SHA256, payload, secret)` matches the `X-Hub-Signature` header. This prevents "Man-in-the-Middle" replay attacks.
  3. Timing Safe Comparison: Use regular constant-time string comparison methods (like `hash_equals` in PHP) to prevent timing side-channel attacks during verification.

Validation Logic

  1. Parse: Attempt to decode the raw string using `JSON.parse` or XML parsers.
  2. Format: If valid, re-serialize with indentation (Pretty Print) for human readability.
  3. Hash: If a secret is present, hash the *raw* payload byte-for-byte. (Note: Changing even one whitespace in the payload breaks the signature).