What's the right way to verify X-Hub-Signature in php?
I tried with
$xHubSignature = $request->getHeader('X-Hub-Signature');
$postdata = file_get_contents("php://input");
$body = $request->getRawBody( );
$check = sha1('mysecret'.$postdata);
but it doesn't work.
hash_hmac( 'sha1', $postdata,'mysecret') 
thanks to Payom Dousti
https://groups.google.com/forum/?fromgroups=#!topic/instagram-api-developers/7nKyipJENdI
To verify X-Hub-Signature header sent by Instagram or Facebook webhook callback in PHP version 5.6 or higher, you could use:
if ( hash_equals('sha1=' . hash_hmac('sha1', $postdata, 'mysecret'), 
                 $_SERVER['HTTP_X_HUB_SIGNATURE'] )
This is better than using == or === since hash_equals method would prevent timing attacks.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With