Home/Blockchain/HMAC & Message Authentication/Real World Security

🌐 HMAC in Action: APIs, Webhooks & Blockchain

Explore how HMAC secures API requests, webhooks, and blockchain transactions

Your Progress

0 / 5 completed

🛡️ Real-World Security

Let's see how HMAC defends against real attacks in the wild. Understanding these threats will make you a security-conscious blockchain developer!

🎮 Interactive Attack Scenarios

Select an attack type to see how HMAC protects against it:

🔄

Replay Attack

Attacker captures valid request and sends it again

📝 Normal Scenario:

Alice sends: "Transfer $100 to Bob" with valid HMAC

⚠️ Attack Attempt:

Attacker intercepts and replays the same request 10 times

❌ Without HMAC:

❌ Without protection: Transfer happens 10 times! $1000 stolen.

✅ With HMAC:

✅ With timestamp: Server rejects old requests (>5 min). Attack fails!

🏢 Major Platforms Using HMAC

💱

Binance

World's largest crypto exchange

• HMAC-SHA256 for all API requests
• 5-second timestamp window
• Signature in request header

🔷

Coinbase

Leading US crypto platform

• HMAC-SHA256 signatures
• Includes request body + timestamp
• CB-ACCESS-SIGN header

☁️

AWS

Amazon Web Services

• AWS Signature Version 4
• HMAC-SHA256 based signing
• Signs entire request (headers + body)

💳

Stripe

Payment processing platform

• HMAC-SHA256 for webhooks
• Stripe-Signature header
• Prevents webhook spoofing

🔐 Best Practices Checklist

Use Strong Hash Functions

SHA-256 or SHA-3, never MD5 or SHA-1

Generate Long Random Keys

Minimum 32 bytes (256 bits) of cryptographically secure random data

Include Timestamp in Signature

Reject requests older than 5 minutes to prevent replay attacks

Always Use HTTPS

HMAC protects integrity, HTTPS protects confidentiality

Store Keys Securely

Use environment variables, never hardcode in source

Use Constant-Time Comparison

Prevents timing attacks when verifying signatures

Rotate Keys Periodically

Change API secrets every 90 days or after suspected compromise

Rate Limit Failed Attempts

Block IPs after repeated invalid signatures (brute force protection)

🚨 Common Mistakes to Avoid

❌

Transmitting the Secret Key

Never send the secret key in requests! Only the signature should travel over the network.

❌

Ignoring Timestamp Validation

Without timestamp checks, attackers can replay old valid requests indefinitely.

❌

Inconsistent Payload Construction

Client and server must build the signature payload EXACTLY the same way (same order, formatting).

❌

Using HTTP Instead of HTTPS

HMAC proves integrity, but without HTTPS, requests can still be read by eavesdroppers.

❌

Logging Secret Keys

Never log secrets in application logs, error messages, or debugging output.

🎯 HMAC vs Other Auth Methods

Method	Security	Performance	Use Case
HMAC	✅ Very High	⚡ Fast	API authentication
API Keys Only	⚠️ Medium	⚡ Very Fast	Read-only APIs
JWT Tokens	✅ High	⚡ Fast	User sessions
OAuth 2.0	✅ High	🐌 Slower	Third-party access
Digital Signatures	✅ Very High	🐌 Slow	Blockchain transactions