Before: Soft-Fail
Log Warning, Process Anyway
Invalid signatures were logged but the webhook was still processed. Forged requests could trigger actions.
if (!isValid) {
console.warn('Sig check failed');
// continue processing...
}
console.warn('Sig check failed');
// continue processing...
}
WARN: Webhook signature verification failed
WARN: Processing webhook anyway...
INSECURE
After: Hard-Fail
Reject Invalid Requests
Invalid signatures immediately return 401 Unauthorized. No processing, no logging, no resource usage.
if (!isValid) {
return new Response('Unauthorized',
{ status: 401 });
}
return new Response('Unauthorized',
{ status: 401 });
}
401: Unauthorized — invalid signature
200: Verified — processing call event
SECURE