ruby 8 lines · 1 tab

Secure webhook endpoint design with replay protection

Kai Nakamura Apr 2026
1 tab
event_id = request.headers.fetch('X-Event-Id')
timestamp = request.headers.fetch('X-Signature-Timestamp').to_i

raise ActionController::BadRequest, 'stale request' if Time.now.to_i - timestamp > 300
raise ActionController::BadRequest, 'replay detected' if WebhookEvent.exists?(external_id: event_id)

WebhookEvent.create!(external_id: event_id, payload: request.raw_post)
head :accepted
1 file · ruby Explain with highlit

A webhook endpoint is an internet-facing parser plus an authentication problem. I verify signatures, enforce recent timestamps, and store event IDs to block replay attempts. Reliability matters too, so handlers should be idempotent and fast to acknowledge.

Share this code

Here's the card — post it anywhere.

Secure webhook endpoint design with replay protection — share card
Link copied