NFLTRFeaturesWebhook Relay

Webhook Relay Security

Receive webhooks from GitHub, Stripe, Slack, and any other service directly on your local machine. NFLTR includes built-in HMAC signature verification and replay attack detection — so you can develop webhook handlers with the same security as production.

How It Works

Configure the webhook provider to send events to your NFLTR tunnel URL. Webhook requests arrive at the NFLTR server, traverse the encrypted tunnel, and reach your local handler. The built-in verifier validates signatures before the request reaches your code.

WEBHOOK PROVIDER GitHub push event Stripe payment Slack interaction NFLTR SERVER HTTPS Ingress Tunnel Relay SIGNATURE VERIFY HMAC-SHA256 check Replay detection Constant-time compare YOUR HANDLER localhost:8000 /webhooks

Quick Start

# Start a tunnel for your webhook handler
nfltr http 8000 --name my-webhooks

# Configure your provider's webhook URL:
# https://nfltr.xyz/browse/alice.my-webhooks/webhooks/github

Supported Providers

ProviderHeader VerifiedAlgorithmReplay Protection
GitHubX-Hub-Signature-256HMAC-SHA256 over raw body
StripeX-Stripe-Signature (t=, v1=)HMAC-SHA256 over ts.body5-minute window
SlackX-Slack-Signature (v0=)HMAC-SHA256 over v0:ts:body5-minute window
GenericConfigurable headerSHA256 / SHA512 / SHA1 / MD5Optional

Signature Verification

NFLTR's webhook verification module (pkg/webhook) uses constant-time HMAC comparison for all signature checks, preventing timing attacks. For providers that include timestamps (Stripe, Slack), replay detection rejects events outside a 5-minute window.

Security Guarantees

🔐 HMAC Verification

Cryptographic signature validation ensures the webhook was sent by the claimed provider and not tampered with.

⏰ Replay Detection

Timestamp-based checks reject old events, preventing replay attacks. Configurable window per provider.

⚡ Constant-Time Compare

All signature comparisons use constant-time algorithms to prevent timing side-channel attacks.

Provider Setup Examples

GitHub

# 1. Start your webhook handler
nfltr http 3000 --name gh-hooks

# 2. In GitHub repo → Settings → Webhooks → Add webhook
#    Payload URL: https://nfltr.xyz/browse/alice.gh-hooks/github/webhook
#    Content type: application/json
#    Secret: your-webhook-secret

# 3. Your handler receives verified webhook events at localhost:3000/github/webhook

Stripe

# 1. Start your payment handler  
nfltr http 8000 --name stripe-dev

# 2. In Stripe Dashboard → Developers → Webhooks → Add endpoint
#    Endpoint URL: https://nfltr.xyz/browse/alice.stripe-dev/stripe/webhook

# 3. Use Stripe CLI to forward test events:
stripe trigger payment_intent.succeeded

Slack

# 1. Start your Slack bot
nfltr http 3000 --name slack-bot

# 2. In Slack API → Event Subscriptions → Request URL:
#    https://nfltr.xyz/browse/alice.slack-bot/slack/events
💡 Debug webhooks in real time

Every webhook request is captured in the NFLTR dashboard. View full headers, body, and timing for every event — no console.log needed.

Custom Providers

The generic verifier supports any provider that uses HMAC-based signatures. Configure the header name, prefix, and hash algorithm:

# Verify a custom webhook with X-Signature header using SHA256
# The verifier checks: HMAC-SHA256(body, secret) == header value

Start receiving webhooks locally

Debug GitHub, Stripe, and Slack webhooks with full signature verification.

Download Agent Postman Guide →