Next.js 15 Edge Runtime Web Crypto HMAC 请求签名与防篡改实践

概览Edge Runtime 原生支持 Web Crypto，可用于在边缘生成与校验 HMAC 请求签名，降低延迟并提升安全性。适合 Webhook 校验与 API 请求防篡改场景。签名生成（客户端或边缘）async function hmacSign(secret: string, payload: string) { const key = await crypto.subtle.importKey( 'raw', new TextEncoder().encode(secret), { name: 'HMAC', hash: 'SHA-256' }, false, ['sign'] ) const sig = await crypto.subtle.sign('HMAC', key, new TextEncoder().encode(payload)) return btoa(String.fromCharCode(...new Uint8Array(sig))) } 签名校验（Edge Route）app/api/verify/route.tsexport const runtime = 'edge' async function hmacVerify(secret: string, payload: string, sigBase64: string) { const key = await crypto.subtle.importKey( 'raw', new TextEncoder().encode(secret), { name: 'HMAC', hash: 'SHA-256' }, false, ['verify'] ) const sig = Uint8Array.from(atob(sigBase64), (c) => c.charCodeAt(0)) return crypto.subtle.verify('HMAC', key, sig, new TextEncoder().encode(payload)) } export async function POST(req: Request) { const secret = process.env.SIGN_SECRET! const sig = req.headers.get('x-signature') || '' const body = await req.text() const ok = await hmacVerify(secret, body, sig) if (!ok) return new Response('Invalid signature', { status: 401 }) return new Response('OK') } 治理要点将密钥管理在环境变量与密钥库中，避免暴露到客户端。使用常量时间比较避免侧信道；严格校验请求时间窗与重复重放。与日志与观测协作，记录失败原因与来源。验证与指标浏览器/边缘：Web Crypto 可用；Next.js：15.0+；Edge Runtime：稳定签名校验可靠；延迟低，适合 Webhook 与防篡改场景