X-Hub-Signature is a compact way to validate webhooks from Facebook, GitHub, or any other source that uses this signature scheme.
Care has been taken to avoid security issues, including timing attacks.
To install:
composer require compwright/x-hub-signature
Sign a buffer containing a request body:
<?php
use Compwright\XHubSignature;
use InvalidArgumentException;
$signer = new XHubSignature\Sha256();
// Generate the signature header for an outbound webhook, i.e.
//
// X-Hub-Signature-256: sha256=...
//
$headerName = $signer->getHeaderName();
$headerValue = $signer->sign($requestBody, $secret);
$signatureHeader = $headerName . ': ' . $headerValue;
// Verify an inbound webhook
$isValid = $signer->verify($signatureHeaderValue, $requestBody, $secret);
if ($isValid === false) {
throw new InvalidArgumentException('Bad Request');
}
MIT License