philiprehberger/php-webhook-signature
Composer 安装命令:
composer require philiprehberger/php-webhook-signature
包简介
Minimal, framework-agnostic HMAC-SHA256 webhook signature generation and verification with replay attack prevention
README 文档
README
Minimal, framework-agnostic HMAC-SHA256 webhook signature generation and verification with replay attack prevention.
Requirements
- PHP 8.2+
Installation
composer require philiprehberger/php-webhook-signature
Usage
Sender Side — Signing an Outgoing Payload
use PhilipRehberger\WebhookSignature\WebhookSignature; $payload = json_encode(['event' => 'invoice.paid', 'id' => 42]); $secret = 'your-shared-webhook-secret'; $signatureHeader = WebhookSignature::generate($payload, $secret); // "t=1700000000,v1=a3f1...c9d2" // Attach to your outgoing HTTP request $response = $httpClient->post($endpointUrl, [ 'headers' => [ 'Content-Type' => 'application/json', 'X-Webhook-Signature' => $signatureHeader, ], 'body' => $payload, ]);
Receiver Side — Verifying an Incoming Webhook
use PhilipRehberger\WebhookSignature\WebhookSignature; // Read the raw request body — do NOT decode it first $payload = file_get_contents('php://input'); $signature = $_SERVER['HTTP_X_WEBHOOK_SIGNATURE'] ?? ''; $secret = 'your-shared-webhook-secret'; if (! WebhookSignature::verify($payload, $signature, $secret)) { http_response_code(401); exit('Invalid signature'); } // Signature is valid — process the payload $data = json_decode($payload, true);
Replay Attack Prevention
By default, signatures older than 300 seconds (5 minutes) are rejected. Adjust the tolerance for your use case:
// Accept signatures up to 60 seconds old $valid = WebhookSignature::verify($payload, $signature, $secret, tolerance: 60); // Disable replay protection entirely (not recommended) $valid = WebhookSignature::verify($payload, $signature, $secret, tolerance: PHP_INT_MAX);
Exception-Based Flow with verifyOrFail()
use PhilipRehberger\WebhookSignature\WebhookSignature; use PhilipRehberger\WebhookSignature\Exceptions\InvalidSignatureException; use PhilipRehberger\WebhookSignature\Exceptions\SignatureExpiredException; try { WebhookSignature::verifyOrFail($payload, $signature, $secret); } catch (SignatureExpiredException $e) { http_response_code(401); exit('Signature expired'); } catch (InvalidSignatureException $e) { http_response_code(401); exit('Invalid signature'); }
Key Rotation with Multiple Secrets
When rotating webhook secrets, both the old and new secrets can be accepted during the transition period:
use PhilipRehberger\WebhookSignature\WebhookSignature; $payload = file_get_contents('php://input'); $signature = $_SERVER['HTTP_X_WEBHOOK_SIGNATURE'] ?? ''; // Accept signatures signed with either the old or new secret $secrets = [ 'new-secret-after-rotation', 'old-secret-before-rotation', ]; if (! WebhookSignature::verifyWithMultipleSecrets($payload, $signature, $secrets)) { http_response_code(401); exit('Invalid signature'); } // Signature matched one of the secrets — process the payload $data = json_decode($payload, true);
Algorithm-Specific Signing
Use signWith() and verifyWith() to sign and verify with SHA-384 or SHA-512 instead of the default SHA-256:
use PhilipRehberger\WebhookSignature\SignatureAlgorithm; use PhilipRehberger\WebhookSignature\WebhookSignature; // Sign with SHA-512 $signature = WebhookSignature::signWith($payload, $secret, SignatureAlgorithm::Sha512); // Verify with SHA-512 $valid = WebhookSignature::verifyWith($payload, $signature, $secret, SignatureAlgorithm::Sha512);
API
| Method | Description |
|---|---|
WebhookSignature::generate(string $payload, string $secret, ?int $timestamp = null): string |
Sign a payload; returns the formatted t={ts},v1={hmac} header value |
WebhookSignature::verify(string $payload, string $signature, string $secret, int $tolerance = 300): bool |
Verify a signature; returns false if malformed, expired, or invalid |
WebhookSignature::verifyOrFail(string $payload, string $signature, string $secret, int $tolerance = 300): void |
Verify a signature; throws InvalidSignatureException or SignatureExpiredException on failure |
WebhookSignature::signWith(string $payload, string $secret, SignatureAlgorithm $algorithm, ?int $timestamp = null): string |
Sign a payload using a specific algorithm (SHA-256, SHA-384, or SHA-512) |
WebhookSignature::verifyWith(string $payload, string $signature, string $secret, SignatureAlgorithm $algorithm, int $tolerance = 300): bool |
Verify a signature using a specific algorithm |
WebhookSignature::verifyWithMultipleSecrets(string $payload, string $signature, array $secrets, int $tolerance = 300): bool |
Verify against multiple secrets; returns true if any matches (key rotation) |
WebhookSignature::parseSignatureHeader(string $signature): ?array |
Parse a signature header into ['timestamp' => int, 'v1' => string]; returns null on malformed input |
Development
composer install vendor/bin/phpunit vendor/bin/pint --test vendor/bin/phpstan analyse
Support
If you find this project useful:
License
philiprehberger/php-webhook-signature 适用场景与选型建议
philiprehberger/php-webhook-signature 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 59 次下载、GitHub Stars 达 1, 最近一次更新时间为 2026 年 03 月 13 日, 在 PHP 生态内属于活跃度较高的组件。
它主要适用于以下技术方向: 「security」 「stripe」 「signature」 「webhook」 「hmac」 「sha256」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。
我们在过去多个企业项目中使用过 philiprehberger/php-webhook-signature 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。
基于 philiprehberger/php-webhook-signature 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。
线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。
承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。
与 philiprehberger/php-webhook-signature 相关的其它包
同方向 / 同关键字的高下载量 PHP Composer 包推荐,方便对比选型:
Provide a way to secure accesses to all routes of an symfony application.
Flexible payment integration for Laravel, lunarphp, supporting multiple payment providers.
接口签名验证
It's a barebone security class written on PHP
Digital signature Nova field.
统计信息
- 总下载量: 59
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 1
- 点击次数: 36
- 依赖项目数: 0
- 推荐数: 0
其他信息
- 授权协议: MIT
- 更新时间: 2026-03-13