What is Webhook Security?
Turkish: Webhook Güvenliği (İmza Doğrulama)
Webhook security verifies incoming event callbacks with signatures, timestamps, replay protection, and strict endpoint controls.
What is Webhook Security?
Webhook security focuses on proving that an incoming event callback really came from the expected provider. Because a webhook endpoint is reachable from the internet, keeping the URL obscure is not enough; an attacker may try to send fake payment, cancellation, or inventory events to the same address.
Core Protection Layers
- Signature verification: The provider signs the payload, often with HMAC. The receiver recalculates the signature and compares it safely.
- Timestamp window: Old requests are rejected so captured callbacks cannot be reused later.
- Replay protection: Event IDs or nonces are stored to prevent the same notification from being processed twice.
- Narrow endpoint design: Only the expected HTTP method, content type, and payload schema are accepted.
- Logging and alerts: Signature failures, unusual retries, and unexpected sources are monitored.
Business Use
Payment providers, marketplaces, shipping platforms, and subscription systems send critical state changes through webhooks. Processing those events without verification can create fake order confirmations, duplicate refunds, or incorrect stock updates.
Hashing is the basis of signature generation, while API security covers the broader set of controls such as authentication, rate limits, and safe error responses.
Related Terms
API security protects endpoints with authentication, authorization, encryption, rate limits, and monitoring against misuse or data leaks.
HashingHashing is a one-way process that turns data into a fixed-length digest for password storage and integrity checks.
WebhookA webhook lets one system automatically send an HTTP request to another when an event occurs, so updates arrive without polling.