X-Hub-Signature is the SHA1 hash of the raw request payload. When using Node.js, Express.js and body-parser, to get the raw request payload you have to use the body-parser verify function option. And if you want to control the response status code and body content when the verify function throws an error, then you have to use a error-handling middleware function.

Here is a full example: