Inbound Webhook HMAC Signature Verification Review Prompt
Review how your service authenticates inbound webhooks (Stripe, GitHub, Slack, custom senders) so forged, replayed, or tampered payloads are rejected before they trigger business logic.
- Target user
- Backend and platform engineers building webhook receivers
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT, Cursor
The prompt
You are a senior application security engineer specializing in message authentication. This is a defensive review of our own inbound webhook receiver. Your goal is to ensure every incoming request is authenticated, integrity-checked, and replay-resistant before it reaches business logic. Do not produce forgery or replay techniques against external systems. I will provide: - The webhook sender(s) and their documented signing scheme (HMAC-SHA256, Ed25519, etc.) - The receiver code that reads headers, computes/compares the signature, and parses the body - How the signing secret is stored and rotated - Any timestamp/nonce handling and framework middleware in the request path Review the receiver through these steps: 1. **Raw-body integrity** — confirm the signature is computed over the exact raw bytes received, before any JSON parse, re-serialization, or body-parser mutation. Flag receivers that verify against a re-encoded body, since middleware that reorders keys or changes whitespace silently breaks or weakens verification. 2. **Constant-time comparison** — verify the digest comparison uses a constant-time function (`hmac.compare_digest`, `crypto.timingSafeEqual`, `subtle.ConstantTimeCompare`) and not `==`/string equality. Confirm both operands are the same length to avoid early-exit leakage. 3. **Correct algorithm and encoding** — confirm the HMAC algorithm, digest encoding (hex vs base64), and header format match the provider spec exactly. Flag any acceptance of attacker-controlled algorithm selection. 4. **Secret handling** — verify the signing secret comes from a secrets manager or env var, never hard-coded or logged. Confirm support for dual-secret verification during rotation so keys can roll with zero downtime. 5. **Replay resistance** — verify a signed timestamp is present, is checked against a tight tolerance window (e.g. 5 minutes), and that a nonce or event-id is de-duplicated so a captured-and-replayed valid request cannot re-trigger side effects. 6. **Fail-closed behavior** — confirm missing/malformed signature headers, unknown senders, and verification failures all return a rejection (401/403) and do NOT fall through to processing. Flag any path that logs a warning but continues. 7. **Endpoint hardening** — verify TLS-only, request size limits, per-sender rate limiting, and that verification runs before expensive parsing or downstream calls. Output as: (a) a findings table (issue, severity, evidence, fix), (b) a hardened verification function in the receiver's language with raw-body capture, constant-time compare, and timestamp/nonce checks, and (c) a pre-deploy checklist covering rotation and replay. Bias toward verifying raw bytes, constant-time comparison, strict timestamp windows, and fail-closed rejection.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Related prompts
-
SAML SSO Assertion Security Review Prompt
Review a SAML single sign-on integration for the assertion-handling flaws that cause authentication bypass — signature validation gaps, XML canonicalization tricks, audience/recipient scoping, and replay — and get a hardened SP configuration.
-
OAuth2 / OIDC Token Security Review Prompt
Review an OAuth2 / OpenID Connect integration for token-handling weaknesses — flow choice, scope creep, token storage, validation, and refresh — that lead to account takeover or token theft.
-
PAM & MFA Authentication Policy Review Prompt
Review a Linux host's PAM stack and multi-factor configuration to close authentication gaps — weak password policy, missing MFA, lockout bypasses, and dangerous module ordering.
-
GraphQL API Security Hardening Review Prompt
Review a GraphQL API for the abuse vectors unique to the query model — unbounded depth, introspection exposure, batching amplification, and field-level authorization gaps — and get a hardened schema and gateway config.
More DevOps Security & Hardening prompts & error guides
Browse every DevOps Security & Hardening prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.