Skip to content

Instantly share code, notes, and snippets.

@joemaller

joemaller/webhook_validate.php

Last active November 20, 2021 12:29
Show Gist options
  • Star 13 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save joemaller/e5e0b737a321d69ae2fc to your computer and use it in GitHub Desktop.
Save joemaller/e5e0b737a321d69ae2fc to your computer and use it in GitHub Desktop.
Download ZIP
Validate Github webhook signatures with PHP
Raw
webhook_validate.php
<?php
$sig_check = 'sha1=' . hash_hmac('sha1', Request::getContent(), $_ENV['github_webhook_secret']);
if ($sig_check === Request::header('x-hub-signature')) { // php >=5.6 and above should use hash_equals() for comparison
// sigs match, do stuff
}
@hypeJunction
Copy link

hypeJunction commented Jun 21, 2019
edited

You shouldn't use === to compare hashes as they are vulnerable to timing attacks. Use hash_equals() instead.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment