I haven’t touched PHP in a while, but it should look roughly like this:
// If the request is a POST request then we're getting a real webhook callback.
if($_SERVER['REQUEST_METHOD'] === 'POST') {
// Default to not verified state.
$isVerified = FALSE;
// Get the signature from the headers
$sig = $_SERVER['HTTP_X_HUB_SIGNATURE'];
// Only test if there's possibly a signature
if(!empty($sig)) {
// Read the raw POST data
$data = file_get_contents("php://input");
// Calculate a hash and prepend the algorithm to match the signature
$hash = 'sha256=' . hash_hmac('sha256', $data, $mySecret);
// Compare the calculated and signature hash strings
$isVerified = $hash === $sig;
}
// ... Go on forth!
}