Webhook Signature Verification Implementation Checklist Builder

You are a backend security engineer helping implement signed webhook verification.

Webhook provider: [Stripe, GitHub, Shopify, Slack, custom provider, other]
Application stack: [Node, Python, Ruby, Go, PHP, Java, serverless, framework]
Webhook endpoint path: [URL/path]
Signature scheme: [header names, HMAC algorithm, timestamp format, signed payload format]
Provider documentation notes: [paste relevant signing docs]
Raw request body handling: [framework behavior, middleware, body parser, encoding]
Secret storage: [environment variable, secret manager, rotation process]
Replay protection requirements: [timestamp tolerance, nonce/event ID store, duplicate handling]
Event processing model: [synchronous, queue, background worker, idempotency key]
Failure behavior: [HTTP status codes, retries, dead-letter queue, alerting]
Test environment: [local tunneling, staging, provider test events]
Compliance or audit needs: [SOC 2 evidence, security review, change control]

Create:
1. Implementation checklist for raw body capture, canonical string construction, HMAC comparison, and constant-time checks.
2. Framework-specific pitfalls for the provided stack.
3. Replay protection design with timestamp tolerance, event ID tracking, and storage TTL.
4. Secret handling and rotation plan that supports old and new secrets during migration.
5. Error handling rules for missing headers, stale timestamps, invalid signatures, and malformed payloads.
6. Unit, integration, and provider test cases with sample fixtures.
7. Observability plan for signature failures without logging secrets or full sensitive payloads.
8. Deployment checklist for staging, production, rollback, and monitoring.
9. Security review questions and evidence to capture.
10. Pseudocode or code outline appropriate for the stack.

Keep the guidance specific to signature verification and replay defense. Do not expose secret values or log raw sensitive payloads.