# Prevent Spoofing
source: https://developer.mastercard.com/open-finance-au/documentation/consent/prevent-spoofing/index.md

We recommend that you verify the signature of the received notifications.

Tips for Best Practice:

1. Create an SHA-256 HMAC of the request body using a signing key received with a subscription response (see [Subscribing to notifications](https://developer.mastercard.com/open-finance-au/documentation/consent/consent-notifications/index.md)).
2. Compare it to the signature included in the `Event-Signature` header. If the two are equal then the notification is valid, otherwise, it is spoofed.
3. Store the `eventId` and ignore notifications with an ID that has already been processed to prevent replay attacks.

The `Event-Signature` header gets added to every event sent.

Header example

```sh
Event-Signature: "f7bc83f430538424b13298e6aa6fb143ef4d59a14946175997479dbc2d1a3cd8"
Event-Id: "ac7e616b-8bf1-43a9-9ed4-11d9da2550c8"
Event-Type: "INSTITUTIONS_REVOKED"
Event-Context: "CONSENT"

Content-Type: "application/json"
...
{{"standard HTTPS headers"}}
```

An example of signature verification in NodeJS

```javascript
const crypto = require('crypto');
const key = '{{signingKey}}';
router.use('/webhook-handler', (request, res) => {
  const body = request.body;
  const signature = crypto
    .createHmac('sha256', key)
    .update(JSON.stringify(body))
    .digest('hex');

  if (request.get('Event-Signature') !== signature) {
    throw new Error('Spoofing detected, rejecting event');
  }
});
```