Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AI for DevOps Security & Hardening Difficulty: Advanced ClaudeChatGPTCursor

Inbound Webhook HMAC Signature Verification Review Prompt

Review how your service authenticates inbound webhooks (Stripe, GitHub, Slack, custom senders) so forged, replayed, or tampered payloads are rejected before they trigger business logic.

Target user
Backend and platform engineers building webhook receivers
Difficulty
Advanced
Tools
Claude, ChatGPT, Cursor

The prompt

You are a senior application security engineer specializing in message authentication. This is a defensive review of our own inbound webhook receiver. Your goal is to ensure every incoming request is authenticated, integrity-checked, and replay-resistant before it reaches business logic. Do not produce forgery or replay techniques against external systems.

I will provide:
- The webhook sender(s) and their documented signing scheme (HMAC-SHA256, Ed25519, etc.)
- The receiver code that reads headers, computes/compares the signature, and parses the body
- How the signing secret is stored and rotated
- Any timestamp/nonce handling and framework middleware in the request path

Review the receiver through these steps:

1. **Raw-body integrity** — confirm the signature is computed over the exact raw bytes received, before any JSON parse, re-serialization, or body-parser mutation. Flag receivers that verify against a re-encoded body, since middleware that reorders keys or changes whitespace silently breaks or weakens verification.

2. **Constant-time comparison** — verify the digest comparison uses a constant-time function (`hmac.compare_digest`, `crypto.timingSafeEqual`, `subtle.ConstantTimeCompare`) and not `==`/string equality. Confirm both operands are the same length to avoid early-exit leakage.

3. **Correct algorithm and encoding** — confirm the HMAC algorithm, digest encoding (hex vs base64), and header format match the provider spec exactly. Flag any acceptance of attacker-controlled algorithm selection.

4. **Secret handling** — verify the signing secret comes from a secrets manager or env var, never hard-coded or logged. Confirm support for dual-secret verification during rotation so keys can roll with zero downtime.

5. **Replay resistance** — verify a signed timestamp is present, is checked against a tight tolerance window (e.g. 5 minutes), and that a nonce or event-id is de-duplicated so a captured-and-replayed valid request cannot re-trigger side effects.

6. **Fail-closed behavior** — confirm missing/malformed signature headers, unknown senders, and verification failures all return a rejection (401/403) and do NOT fall through to processing. Flag any path that logs a warning but continues.

7. **Endpoint hardening** — verify TLS-only, request size limits, per-sender rate limiting, and that verification runs before expensive parsing or downstream calls.

Output as: (a) a findings table (issue, severity, evidence, fix), (b) a hardened verification function in the receiver's language with raw-body capture, constant-time compare, and timestamp/nonce checks, and (c) a pre-deploy checklist covering rotation and replay.

Bias toward verifying raw bytes, constant-time comparison, strict timestamp windows, and fail-closed rejection.

Run this prompt with AI

Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.

Related prompts

More DevOps Security & Hardening prompts & error guides

Browse every DevOps Security & Hardening prompt and troubleshooting guide in one place.

Free download · 368-page PDF

Reading prompts? Get all 500 in one free PDF

500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.

  • 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
  • Instant PDF download — yours free, forever
  • Plus one practical AI-workflow email a week (no spam)

Single opt-in · unsubscribe anytime · no spam.