Verify webhook authenticity against the raw request body before you trust the event.
Webhook signature verification depends on exact bytes. Capture the raw body before parsing, compute the HMAC or signing payload the carrier specifies, and compare with a constant-time check. If verification happens after middleware rewrites the body, your signature logic is already untrustworthy.
Signature validation only proves the carrier sent the event. It does not solve replays, ordering, or idempotent processing. Those need separate controls.