Glossary
Replay Attack
An attack where a captured valid webhook is re-sent later — possibly by an attacker — to trigger duplicate side effects. Defended against with timestamps and idempotency.
A signed webhook proves authenticity but not freshness. If an attacker intercepts a payment.succeeded event today, they can re-send the same exact bytes (signature included) tomorrow — and your handler will accept it as valid.
The defense is two-layered: (1) the sender includes a timestamp in the signed payload, and the receiver rejects requests older than ~5 minutes; (2) the handler deduplicates by event ID so even an in-window replay can't cause duplicate side effects.
Stripe's signature scheme bakes both in: t=1614264600,v1=abc... — the timestamp is part of the signed string, and the SDK rejects messages older than 5 minutes by default.
How HookSense helps
HookSense lets you replay any captured webhook to any target URL — useful for testing your replay-attack defenses by trying to replay a 10-minute-old request and confirming it's rejected.
Get a free webhook URL