diff --git a/apps/logicsrc-web/contract/logicsrc-web.contract.test.ts b/apps/logicsrc-web/contract/logicsrc-web.contract.test.ts
index e14773f..e900bea 100644
--- a/apps/logicsrc-web/contract/logicsrc-web.contract.test.ts
+++ b/apps/logicsrc-web/contract/logicsrc-web.contract.test.ts
@@ -410,6 +410,7 @@ describe("POST /api/webhooks/coinpay", () => {
 
     expect(verifyCoinPayWebhook(payload, `t=${timestamp},v1=${signature}`, secret)).toBe(true);
     expect(verifyCoinPayWebhook(payload, `t=${timestamp}, v1=${signature}`, secret)).toBe(true);
+    expect(verifyCoinPayWebhook(payload, `t=${timestamp},v1=${signature}0`, secret)).toBe(false);
 
     const response = await coinpayWebhook(
       new NextRequest("http://localhost/api/webhooks/coinpay", {
diff --git a/apps/logicsrc-web/src/lib/coinpay.ts b/apps/logicsrc-web/src/lib/coinpay.ts
index dae83d7..96bc58f 100644
--- a/apps/logicsrc-web/src/lib/coinpay.ts
+++ b/apps/logicsrc-web/src/lib/coinpay.ts
@@ -117,7 +117,7 @@ export function verifyCoinPayWebhook(
     const parts = signatureHeader.split(",").map((part) => part.trim());
     const timestamp = parts.find((part) => part.startsWith("t="))?.slice(2);
     const signature = parts.find((part) => part.startsWith("v1="))?.slice(3);
-    if (!timestamp || !signature) {
+    if (!timestamp || !signature || !/^[0-9a-fA-F]{64}$/.test(signature)) {
       return false;
     }