Verify Webhook Signatures

Add signature verification to my webhook endpoint. I want to make sure the webhook is actually from [Stripe/GitHub/the service] and not a fake request.

Framework: [Express, Flask, Django, FastAPI, etc.]
Service: [Stripe, GitHub, Shopify, etc.]

Requirements:
1. Get the signature from the request headers
2. Verify it matches the expected signature
3. Reject requests with invalid signatures (return 401)
4. Only process the webhook if verification passes

Show me:
- Where to find my webhook signing secret (in the service dashboard)
- How to compute the expected signature
- How to compare signatures securely (timing-safe comparison)
- What to log when verification fails (for debugging)

Security matters here. Explain why signature verification is needed and what could go wrong without it.

I'm learning, so explain each part simply.