Webhooks are essentially open doors into your infrastructure. Without cryptographic verification, any attacker can spoof requests to your Sinatra endpoints, leading to unauthorized actions, data corruption, or even remote code execution. To secure these, you must implement HMAC-based signature verification to ensure the payload originated from a trusted source and hasn't been tampered with in transit.

The Vulnerable Pattern

post '/webhook' do
  # SECURITY RISK: Blindly trusting the request body
  data = JSON.parse(request.body.read)
Attacker can trigger this logic with any payload
if data[‘action’] == ‘deploy’
system(”./deploy.sh #{data[‘branch’]}”)
end
status 200
end

The Secure Implementation

The secure implementation introduces a cryptographic handshake. First, we capture the raw request body; this is critical because JSON parsing can alter the byte order, which would invalidate the hash. We then use a shared secret and the SHA256 algorithm to generate an HMAC (Hash-based Message Authentication Code). Finally, we use Rack::Utils.secure_compare. This is a constant-time comparison function that prevents timing attacks, where an attacker might otherwise deduce the correct signature by measuring how many nanoseconds it takes for the server to reject an invalid attempt.

require 'openssl'
require 'rack/utils'
post ‘/webhook’ do
request.body.rewind
payload_body = request.body.read
signature = request.env[‘HTTP_X_HUB_SIGNATURE_256’]
secret = ENV[‘WEBHOOK_SECRET’] # Shared secret
halt 401, ‘Missing signature’ if signature.nil?
1. Compute HMAC using SHA256
computed_sig = ‘sha256=’ + OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new(‘sha256’), secret, payload_body)
2. Constant-time comparison to prevent timing attacks
unless Rack::Utils.secure_compare(computed_sig, signature)
halt 403, ‘Signature mismatch’
end
data = JSON.parse(payload_body)
Safe to process verified data
status 200
end