- Reject timestamps older than 300 seconds
- Use constant-time signature comparison
- Store webhook secrets encrypted at rest (platform-side)
- Return HTTP 200 only after successful verification
Security
Webhook Security
Meum security guidance for webhook security.
Verify every webhook with HMAC v1 before processing.