Code Room
Code reviewHardcr-g564
Subject Crypto securityLevel Senior–Staff~25 minCommon in Security interviewsIndustries Software development

Question

Review this Go webhook-signature verifier.

What a strong answer looks like

Separate real bugs from style. Rank issues by severity, point at the root cause rather than the symptom, and suggest a concrete fix — specific and kind.

Talk through your review
Code to reviewgo
func verifySignature(payload []byte, sig string, secret []byte) bool {    mac := hmac.New(sha256.New, secret)    mac.Write(payload)    expected := hex.EncodeToString(mac.Sum(nil))    return expected == sig} func handler(w http.ResponseWriter, r *http.Request) {    body, _ := io.ReadAll(r.Body)    if !verifySignature(body, r.Header.Get("X-Signature"), webhookSecret) {        http.Error(w, "bad signature", 401)        return    }    process(body)}
Run or narrate your approach, then ask the coach.