# Webhook Security and Request Signing One-sentence definition: Verify inbound callbacks to prevent spoofing and replay. ## Key Facts - Validate origin via shared secret HMAC or mTLS; check timestamps and nonces. - Enforce idempotency and retry handling; respond with minimal info. - IP allowlists optional but not sole control; rotate secrets periodically. - Log signature verification results; reject unsigned or expired requests. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Choose signature verification + timestamp over IP-only trust. **Mnemonic:** “**Signed and timely, or denied**.” ## Mini Scenario Q: Duplicate webhook charges orders—what add? A: Idempotency keys and signature+timestamp checks. ## Revision Checklist - Two verification methods. - Replay guard. - Logging requirement. ## Related [[Event-Driven Architecture Security (Idempotency and Ordering)]] · [[API Security Fundamentals (REST GraphQL gRPC)]] · [[Rate Limiting and Anti-Automation (Bots)]] · [[Serverless Security (Functions-as-a-Service)]] · [[Domain 8 - Index]]