Tag
hmac
Safeguard articles tagged "hmac" — guides, analysis, and best practices for software supply chain and application security.
3 articles
Best Practices
Webhook security best practices: HMAC signing, replay protection, and IP allowlisting
Stripe gives webhook signatures a 5-minute tolerance window; GitHub signs with HMAC-SHA256. Here's how to build inbound and outbound webhooks that survive both.
Jul 11, 20267 min read
Application Security
Verifying webhook signatures correctly
Stripe gives you a 5-minute replay window and GitHub a raw-body HMAC — but most outages trace back to one bug: verifying JSON after it's been re-serialized.
Jul 8, 20267 min read
Cryptography
HMAC
HMAC is a cryptographic construct that combines a hash function with a secret key to verify both the integrity and authenticity of a message.
Feb 28, 20267 min read