Skip to main content

Webhook Header Validation

Verify the authenticity of incoming webhook events through configurable header validation and signature verification.

What It Is

Header validation checks that incoming webhook requests contain the required headers and, where supported, verifies cryptographic signatures to confirm the event originated from the expected source.

How It Works

Header validation operates on incoming webhook requests:

  1. The request headers are inspected for required fields and accepted value patterns
  2. Where signature verification is supported, the signature is validated against the expected secret
  3. Requests with missing, invalid, or mismatched headers are rejected before delivery processing
  4. Validation outcomes are recorded in delivery evidence for audit purposes

Supported Providers

ProviderSignature HeaderScheme
StripeStripe-SignatureTimestamped HMAC-SHA256 with signing secret
GitHubX-Hub-Signature-256HMAC-SHA256 with shared secret
TwilioTwilio-SignatureTwilio-Signature validation using URL, params, and auth token
ShopifyX-Shopify-Hmac-SHA256HMAC-SHA256 with shared secret
CustomUser-configuredHMAC-SHA256 with user-configured secret

Configuration Options

SettingDescription
Required headersHeaders that must be present on incoming webhook requests
Accepted values/patternsExpected values or patterns for validated headers
Signature headerSupport for provider-specific signature headers
Failure behaviorWhat happens when header validation fails (reject, log, route to quarantine)

Operational Status

Signature verification is implemented and tested for Stripe, GitHub, Shopify, and Twilio when configured. Custom/generic HMAC/header validation is available where configured.

  • Stripe: Stripe-Signature header verification — implemented and validated
  • GitHub: X-Hub-Signature-256 header verification — implemented and validated
  • Twilio: Twilio-Signature header verification — implemented and validated
  • Shopify: X-Shopify-Hmac-SHA256 header verification — implemented and validated
  • Custom: User-configured secret with HMAC-SHA256 — available

Live external provider validation is distinct from backend signature-verification tests.

Example Scenario

An organization receives webhooks from Stripe, GitHub, Twilio, and Shopify. Header validation is configured for each provider's signature scheme. A forged webhook request without a valid signature is rejected — protecting downstream services from processing unverified events.

Plan Tiering

Header filtering, blocking, and transform management is a Business+ feature planned for V1.1. Free and Pro plans do not include header management. See Security Feature Tiering for details.