Technical Stuff
Understanding Stripe Webhook Signatures: HMAC-SHA256, Replay Protection, and Constant-Time Verification
When your application receives a webhook from Stripe, it needs a way to answer a simple but important question: “Did this request really come from Stripe, and has it been changed?” Stripe solves this using a message authentication scheme based on HMAC-SHA256. Even though Stripe calls the value in the header a “signature,” it is not a digital signature in the public/private key sense. Instead, it is a symmetric authentication scheme. That means Stripe and your server both share the same secret. Stripe uses that secret to generate a cryptographic...
Understanding Stripe Webhook Signatures: HMAC-SHA256, Replay Protection, and Constant-Time Verification
Understanding Stripe Webhook Signatures: HMAC-SHA256, Replay Protection, and Constant-Time Verification
|Brandon Soule