Home/Guides/Request replay safety guide for signed webhooks

Request replay safety guide for signed webhooks

Attackers can replay captured requests within the signature window. Combine timestamp checks, short tolerances, and idempotent handlers keyed by provider event IDs.

Common causes

No timestamp in signed content.
Tolerance window too wide.
Idempotency only by HTTP path, not event ID.

How to fix

Use Timestamp Validator to model allowed skew.
Reject events older than policy.
Store processed IDs with TTL ≥ replay window.

Use our tool

Validate timestamp

Webhook tester guide: test endpoint, payload, and response
Content parser guide: parse and validate Content-Type header
Fix webhook signature verification fail

All guides