Security & HMAC Signing
Every webhook request Savebase sends is signed with HMAC-SHA256 so you can confirm it genuinely came from Savebase and hasn't been tampered with in transit. You should always verify this signature before processing a webhook event.
How Signing Works
Savebase computes the signature by running HMAC-SHA256 over the raw request body using your webhook's Signing Secret as the key. The result is sent in the X-Savebase-Signature header as sha256=<hex-digest>.
Use the raw body
Always compute the HMAC over the raw, unmodified request body bytes — not a re-serialised JSON object. Parsing and re-stringifying JSON can change whitespace and key order, causing signature verification to fail.
| Header | Value format |
|---|---|
X-Savebase-Signature | sha256=abcdef0123... |
X-Savebase-Event | post.saved |
User-Agent | Savebase-Webhook/1.0 |
Node.js / Express
bash
const crypto = require('crypto');
function verifySignature(rawBody, signatureHeader, secret) {
const expected = 'sha256=' + crypto
.createHmac('sha256', secret)
.update(rawBody)
.digest('hex');
return crypto.timingSafeEqual(
Buffer.from(expected, 'utf8'),
Buffer.from(signatureHeader, 'utf8')
);
}
app.post(
'/savebase-webhook',
express.raw({ type: 'application/json' }),
(req, res) => {
const sig = req.headers['x-savebase-signature'];
if (!sig || !verifySignature(req.body, sig, process.env.SAVEBASE_WEBHOOK_SECRET)) {
return res.status(401).send('Invalid signature');
}
const event = JSON.parse(req.body);
console.log('Event:', event.event, event.data.id);
res.sendStatus(200);
}
);Python / Flask
bash
import hmac, hashlib, os
from flask import Flask, request, abort
app = Flask(__name__)
WEBHOOK_SECRET = os.environ['SAVEBASE_WEBHOOK_SECRET']
@app.route('/savebase-webhook', methods=['POST'])
def handle_webhook():
sig_header = request.headers.get('X-Savebase-Signature', '')
raw_body = request.get_data()
expected = 'sha256=' + hmac.new(
WEBHOOK_SECRET.encode('utf-8'),
raw_body,
hashlib.sha256
).hexdigest()
if not hmac.compare_digest(expected, sig_header):
abort(401)
payload = request.get_json()
print('Received event:', payload['event'])
return '', 200PHP
bash
<?php
$secret = getenv('SAVEBASE_WEBHOOK_SECRET');
$rawBody = file_get_contents('php://input');
$sigHeader = $_SERVER['HTTP_X_SAVEBASE_SIGNATURE'] ?? '';
$expected = 'sha256=' . hash_hmac('sha256', $rawBody, $secret);
if (!hash_equals($expected, $sigHeader)) {
http_response_code(401);
exit('Invalid signature');
}
$event = json_decode($rawBody, true);
error_log('Received: ' . $event['event']);
http_response_code(200);Security Best Practices
- Respond quickly. Return a
200 OKwithin 10 seconds. Savebase times out after 10 s and marks the delivery as failed. Offload heavy work to a background job. - Never log your signing secret. Treat it like a password. Rotate it in
Settings → Webhooksif you believe it has been compromised. - Use HTTPS only. Savebase rejects plain HTTP endpoints.
- Use timing-safe comparison. Always use
crypto.timingSafeEqual(Node),hmac.compare_digest(Python), orhash_equals(PHP) — never a plain===. - Idempotency. The same event may occasionally be delivered more than once after retries. Use
data.idas an idempotency key to deduplicate.