The Problem
Elena runs integrations at a 30-person fintech. They receive webhooks from Stripe, Plaid, and 8 other providers — payment confirmations, bank connections, KYC results. But the endpoint is wide open: no signature verification, no replay protection, no idempotency checks. A penetration test revealed that anyone could POST fake "payment_succeeded" events to the endpoint and trigger account credits. Last month, a Stripe retry storm processed the same payment 4 times, crediting a customer $12K instead of $3K. Securing the webhook pipeline is critical before they process another dollar.
Step 1: Build the Signature Verification Middleware
Each webhook provider signs payloads differently. The verification layer validates signatures before any business logic runs, rejecting forged requests at the door.
typescript
// src/middleware/webhook-verify.ts — Provider-specific signature verification
import { Context, Next } from "hono";
import { createHmac, timingSafeEqual } from "node:crypto";
type Provider = "stripe" | "plaid" | "github" | "shopify" | "twilio" | "generic";
interface ProviderConfig {
headerName: string;
algorithm: string;
computeSignature: (payload: string, secret: string, headers: Record<string, string>) => string;
maxAgeSeconds: number;
}
const PROVIDERS: Record<Provider, ProviderConfig> = {
stripe: {
headerName: "stripe-signature",
algorithm: "sha256",
maxAgeSeconds: 300, // 5 minutes
computeSignature: (payload, secret, headers) => {
// Stripe uses timestamp + payload for signing
const sigHeader = headers["stripe-signature"] || "";
const elements = Object.fromEntries(
sigHeader.split(",").map((e) => e.split("=") as [string, string])
);
const timestamp = elements.t;
const signedPayload = `${timestamp}.${payload}`;
return createHmac("sha256", secret).update(signedPayload).digest("hex");
},
},
plaid: {
headerName: "plaid-verification",
algorithm: "sha256",
maxAgeSeconds: 300,
computeSignature: (payload, secret) => {
return createHmac("sha256", secret).update(payload).digest("hex");
},
},
github: {
headerName: "x-hub-signature-256",
algorithm: "sha256",
maxAgeSeconds: 600,
computeSignature: (payload, secret) => {
return "sha256=" + createHmac("sha256", secret).update(payload).digest("hex");
},
},
shopify: {
headerName: "x-shopify-hmac-sha256",
algorithm: "sha256",
maxAgeSeconds: 300,
computeSignature: (payload, secret) => {
return createHmac("sha256", secret).update(payload).digest("base64");
},
},
twilio: {
headerName: "x-twilio-signature",
algorithm: "sha1",
maxAgeSeconds: 300,
computeSignature: (payload, secret, headers) => {
const url = headers["x-forwarded-url"] || "";
return createHmac("sha1", secret).update(url + payload).digest("base64");
},
},
generic: {
headerName: "x-webhook-signature",
algorithm: "sha256",
maxAgeSeconds: 300,
computeSignature: (payload, secret) => {
return createHmac("sha256", secret).update(payload).digest("hex");
},
},
};
export function webhookVerify(provider: Provider, secret: string) {
const config = PROVIDERS[provider];
return async (c: Context, next: Next) => {
const rawBody = await c.req.text();
const receivedSig = c.req.header(config.headerName);
if (!receivedSig) {
return c.json({ error: "Missing signature header" }, 401);
}
// Timestamp validation (replay prevention)
if (provider === "stripe") {
const sigHeader = receivedSig;
const timestamp = sigHeader.split(",").find((e) => e.startsWith("t="))?.slice(2);
if (timestamp) {
const age = Math.floor(Date.now() / 1000) - parseInt(timestamp);
if (age > config.maxAgeSeconds) {
return c.json({ error: "Webhook timestamp too old (possible replay)" }, 401);
}
}
}
// Compute expected signature
const headers: Record<string, string> = {};
c.req.raw.headers.forEach((v, k) => { headers[k] = v; });
const expectedSig = config.computeSignature(rawBody, secret, headers);
// Timing-safe comparison prevents timing attacks
const receivedBuf = Buffer.from(
provider === "stripe"
? (receivedSig.split(",").find((e) => e.startsWith("v1="))?.slice(3) || "")
: receivedSig
);
const expectedBuf = Buffer.from(expectedSig);
if (receivedBuf.length !== expectedBuf.length || !timingSafeEqual(receivedBuf, expectedBuf)) {
return c.json({ error: "Invalid signature" }, 401);
}
// Store raw body for downstream processing
c.set("rawBody", rawBody);
c.set("webhookPayload", JSON.parse(rawBody));
c.set("webhookProvider", provider);
await next();
};
}
Step 2: Add Idempotency and Deduplication
Webhook providers retry on timeout. Without idempotency, the same event processes multiple times. The system tracks processed event IDs and rejects duplicates.
typescript
// src/middleware/idempotency.ts — Prevent duplicate webhook processing
import { Context, Next } from "hono";
import { Redis } from "ioredis";
const redis = new Redis(process.env.REDIS_URL!);
// Idempotency key extractors for each provider
const KEY_EXTRACTORS: Record<string, (payload: any, headers: Record<string, string>) => string> = {
stripe: (payload) => payload.id, // evt_xxxx
plaid: (payload) => payload.webhook_id,
github: (_, headers) => headers["x-github-delivery"], // UUID per delivery
shopify: (_, headers) => headers["x-shopify-webhook-id"],
generic: (payload) => payload.event_id || payload.id,
};
export function idempotencyCheck() {
return async (c: Context, next: Next) => {
const provider = c.get("webhookProvider") as string;
const payload = c.get("webhookPayload");
const headers: Record<string, string> = {};
c.req.raw.headers.forEach((v, k) => { headers[k] = v; });
const extractor = KEY_EXTRACTORS[provider];
if (!extractor) {
await next();
return;
}
const eventId = extractor(payload, headers);
if (!eventId) {
await next();
return;
}
const idempotencyKey = `webhook:processed:${provider}:${eventId}`;
// Try to set the key (NX = only if not exists)
const isNew = await redis.set(idempotencyKey, Date.now().toString(), "NX", "EX", 86400 * 7); // 7 day TTL
if (!isNew) {
// Already processed — return 200 (don't make the provider retry)
console.log(`Duplicate webhook: ${provider}:${eventId} — skipping`);
return c.json({ status: "already_processed", eventId }, 200);
}
// Store processing status for observability
c.set("webhookEventId", eventId);
try {
await next();
} catch (error) {
// If processing fails, remove the idempotency key so retries work
await redis.del(idempotencyKey);
throw error;
}
};
}
Step 3: Build the Webhook Processing Pipeline
Events are validated, logged, and dispatched to the appropriate handler. Every webhook is stored for debugging and audit purposes.
typescript
// src/routes/webhooks.ts — Webhook receiving endpoints
import { Hono } from "hono";
import { webhookVerify } from "../middleware/webhook-verify";
import { idempotencyCheck } from "../middleware/idempotency";
import { pool } from "../db";
import { z } from "zod";
const app = new Hono();
// Stripe webhooks
app.post(
"/webhooks/stripe",
webhookVerify("stripe", process.env.STRIPE_WEBHOOK_SECRET!),
idempotencyCheck(),
async (c) => {
const event = c.get("webhookPayload");
const eventId = c.get("webhookEventId");
// Log every webhook for audit trail
await pool.query(
`INSERT INTO webhook_log (event_id, provider, event_type, payload, received_at)
VALUES ($1, 'stripe', $2, $3, NOW())`,
[eventId, event.type, JSON.stringify(event)]
);
// Route to handler based on event type
switch (event.type) {
case "payment_intent.succeeded":
await handlePaymentSucceeded(event.data.object);
break;
case "customer.subscription.updated":
await handleSubscriptionUpdated(event.data.object);
break;
case "invoice.payment_failed":
await handlePaymentFailed(event.data.object);
break;
default:
console.log(`Unhandled Stripe event: ${event.type}`);
}
return c.json({ received: true });
}
);
// GitHub webhooks
app.post(
"/webhooks/github",
webhookVerify("github", process.env.GITHUB_WEBHOOK_SECRET!),
idempotencyCheck(),
async (c) => {
const event = c.get("webhookPayload");
const eventType = c.req.header("x-github-event");
await pool.query(
`INSERT INTO webhook_log (event_id, provider, event_type, payload, received_at)
VALUES ($1, 'github', $2, $3, NOW())`,
[c.get("webhookEventId"), eventType, JSON.stringify(event)]
);
switch (eventType) {
case "push":
await handleGitPush(event);
break;
case "pull_request":
await handlePullRequest(event);
break;
}
return c.json({ received: true });
}
);
// Generic webhook endpoint for custom integrations
app.post(
"/webhooks/:provider",
async (c, next) => {
const provider = c.req.param("provider");
const secret = await getProviderSecret(provider);
if (!secret) return c.json({ error: "Unknown provider" }, 404);
return webhookVerify("generic", secret)(c, next);
},
idempotencyCheck(),
async (c) => {
const provider = c.req.param("provider");
const event = c.get("webhookPayload");
await pool.query(
`INSERT INTO webhook_log (event_id, provider, event_type, payload, received_at)
VALUES ($1, $2, $3, $4, NOW())`,
[c.get("webhookEventId"), provider, event.type || "unknown", JSON.stringify(event)]
);
return c.json({ received: true });
}
);
// Webhook health dashboard
app.get("/webhooks/health", async (c) => {
const { rows } = await pool.query(`
SELECT provider,
COUNT(*) as total_24h,
COUNT(*) FILTER (WHERE status = 'processed') as processed,
COUNT(*) FILTER (WHERE status = 'failed') as failed,
AVG(processing_time_ms) as avg_processing_ms
FROM webhook_log
WHERE received_at > NOW() - INTERVAL '24 hours'
GROUP BY provider
`);
return c.json({ providers: rows });
});
async function handlePaymentSucceeded(payment: any) {
await pool.query(
"UPDATE orders SET payment_status = 'paid', paid_at = NOW() WHERE stripe_payment_id = $1",
[payment.id]
);
}
async function handleSubscriptionUpdated(subscription: any) {
await pool.query(
"UPDATE subscriptions SET status = $2, current_period_end = $3 WHERE stripe_subscription_id = $1",
[subscription.id, subscription.status, new Date(subscription.current_period_end * 1000)]
);
}
async function handlePaymentFailed(invoice: any) {
await pool.query(
`INSERT INTO payment_failures (customer_id, invoice_id, amount, failed_at)
VALUES ($1, $2, $3, NOW())`,
[invoice.customer, invoice.id, invoice.amount_due / 100]
);
}
async function handleGitPush(event: any) { /* trigger CI */ }
async function handlePullRequest(event: any) { /* update PR tracker */ }
async function getProviderSecret(provider: string): Promise<string | null> {
const { rows } = await pool.query(
"SELECT webhook_secret FROM integration_providers WHERE slug = $1",
[provider]
);
return rows[0]?.webhook_secret || null;
}
export default app;
Results
After securing the webhook pipeline:
- Forged webhook attacks blocked 100% — HMAC signature verification rejects every unsigned or incorrectly signed request; the pentest vulnerability is eliminated
- Duplicate processing eliminated — idempotency keys prevent retry storms from processing the same event twice; the $12K quadruple-credit scenario is structurally impossible
- Replay attacks prevented — timestamp validation rejects webhooks older than 5 minutes; an attacker can't replay a captured webhook hours or days later
- Full audit trail — every webhook is logged with payload, timestamp, provider, and processing status; debugging integration issues takes minutes instead of hours
- Processing reliability: 99.97% — on failure, the idempotency key is cleared so provider retries succeed; the system handles transient errors without losing events