Home/REST Track/Webhook Signatures, Replay Defense & Ordering

Webhook Signatures, Replay Defense & Ordering

Verify webhook authenticity, reject replays, and survive out-of-order carrier events.

Trust the Raw Body, Not the Parsed Object

Webhook signature verification usually depends on the exact raw request body plus a shared secret. If your framework parses and rewrites the payload before verification, a valid event can fail signature validation or, worse, an invalid event can slip through if you verify the wrong bytes.

Replay and Ordering Are Separate Problems

A replay attack resends the same event. Out-of-order delivery sends valid but differently timed events in the wrong sequence. You need an event ID ledger for replay defense and timestamp or sequence handling for ordering. One control does not solve the other.
Carrier Reality

A carrier can deliver 'delivered' before 'out for delivery' because separate internal systems publish the updates. If you trust arrival order, your status model regresses in public-facing tracking.

Acknowledge Fast, Observe Deeply

The receiver should verify, persist, and acknowledge quickly. Heavy downstream work belongs in asynchronous workers. Pair that with event-level logging so you can reconstruct replay, ordering, and deduplication behavior during an incident.

Practice Drills

For asynchronous webhook handlers, log the raw-body hash, validated , downstream status, deduplication , and the final acknowledgement sent back to the carrier.

Your webhook handler verifies the signature, writes directly to three downstream systems, and only then returns 200. What is the main operational risk?