Noticed a weird gap in our security checks. We’re verifying the X-Genesys-Signature header on our endpoint, but replay attacks are slipping through because we’re only checking the payload hash, not the timestamp drift.
Is there a standard way to validate the X-Genesys-Timestamp header in Node.js? The docs mention it but don’t show the HMAC verification logic for the timestamp itself. We’ve tried comparing Date.now() against the header, but the clock skew is causing false positives.