Webhook validation patterns with signature verification, event logging, and testing tools. Use when implementing webhooks, validating webhook signatures, securing payment webhooks, testing webhook endpoints, preventing replay attacks, or when user mentions webhook security, Stripe webhooks, signature verification, webhook testing, or event validation.
View on GitHubFebruary 1, 2026
Select agents to install to:
npx add-skill https://github.com/vanman2024/ai-dev-marketplace/blob/main/plugins/payments/skills/webhook-security/SKILL.md -a claude-code --skill webhook-securityInstallation paths:
.claude/skills/webhook-security/# webhook-security ## Instructions This skill provides comprehensive webhook security patterns for payment integrations (Stripe, PayPal, and other providers). It covers signature verification, replay attack prevention, event logging, idempotency, and local testing workflows. ### 1. Webhook Signature Verification Implement cryptographic signature verification to authenticate webhook requests: **Why Signature Verification Matters:** - Prevents attackers from forging webhook events - Ensures events actually come from the payment provider - Required for PCI compliance in production - Protects against man-in-the-middle attacks **Setup Process:** ```bash # Generate and configure webhook endpoint with signature verification bash /home/gotime2022/.claude/plugins/marketplaces/ai-dev-marketplace/plugins/payments/skills/webhook-security/scripts/setup-webhook-endpoint.sh stripe ``` **Verification Algorithm (Stripe):** 1. Extract timestamp and signature from webhook headers 2. Construct signed payload: `timestamp.raw_body` 3. Compute HMAC-SHA256 hash using webhook secret 4. Compare computed signature with received signature 5. Verify timestamp is within tolerance (5 minutes default) ### 2. Replay Attack Prevention Protect against replay attacks where attackers resend captured webhook events: **Defense Mechanisms:** - **Timestamp Validation:** Reject events older than 5 minutes - **Event ID Tracking:** Store processed event IDs to prevent duplicates - **Signature Verification:** Ensures event hasn't been tampered with - **Idempotency Keys:** Safe to process same event multiple times **Implementation:** ```python # Use the signature verification script python /home/gotime2022/.claude/plugins/marketplaces/ai-dev-marketplace/plugins/payments/skills/webhook-security/scripts/verify-signature.py ``` ### 3. Event Logging and Auditing Log all webhook events for debugging, compliance, and dispute resolution: **What to Log:** - Raw webhook payload (for signature re-verificati