Check for AfterShip's base64-encoded HMAC generated signature to verify all incoming webhook events to avoid replay attacks.
Webhooks include a calculated digital signature for verification. Each webhook request includes an
am-webhook-signature header. The signature is a base64-encoded HMAC generated using the sha256 algorithm with the webhook request body and the webhook secret of your account.
Each webhook request could be verified by comparing the computed HMAC digest and the attached HMAC digest in the header.
The following Node.js example demonstrates the computation of a webhook signature.
Webhook secret can be obtained by going to Settings > Webhooks