HMAC-signed webhook platform

When cifraHQ Enterprise emits events to external systems (invoice posted, period closed, shipment dispatched), it does so via webhook: an HTTP POST to the endpoint the customer registered. The problem is trust: how does the receiver know the POST really comes from cifraHQ and not an attacker? The answer is HMAC: every payload includes an X-Signature header with HMAC-SHA256(secret, body). The customer registers a secret when configuring the webhook, receives the header, recomputes the signature with its secret, and compares. If they do not match, it discards. cifraHQ Enterprise also signs the timestamp to prevent replays and lets you rotate the secret without downtime. It is standard; what is notable is doing it right.