23Oca
I am signing (HMAC) outgoing webhooks to allow users to verify their source, should I also sign outgoing responses?
To allow api users to verify the authenticity of outgoing webhooks, I am using a similar model to slack:
Concatenate timestamp and body, HMAC with pre-shared key, add timestamp and HMAC digest to headers.
Recipient does the same, and com…