承接 philiprehberger/php-webhook-signature 相关项目开发

从需求分析到上线部署,全程专人跟进,保证项目质量与交付效率

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

philiprehberger/php-webhook-signature

Composer 安装命令:

composer require philiprehberger/php-webhook-signature

包简介

Minimal, framework-agnostic HMAC-SHA256 webhook signature generation and verification with replay attack prevention

README 文档

README

Tests Latest Version on Packagist Last updated

Minimal, framework-agnostic HMAC-SHA256 webhook signature generation and verification with replay attack prevention.

Requirements

  • PHP 8.2+

Installation

composer require philiprehberger/php-webhook-signature

Usage

Sender Side — Signing an Outgoing Payload

use PhilipRehberger\WebhookSignature\WebhookSignature;

$payload = json_encode(['event' => 'invoice.paid', 'id' => 42]);
$secret  = 'your-shared-webhook-secret';

$signatureHeader = WebhookSignature::generate($payload, $secret);
// "t=1700000000,v1=a3f1...c9d2"

// Attach to your outgoing HTTP request
$response = $httpClient->post($endpointUrl, [
    'headers' => [
        'Content-Type'        => 'application/json',
        'X-Webhook-Signature' => $signatureHeader,
    ],
    'body' => $payload,
]);

Receiver Side — Verifying an Incoming Webhook

use PhilipRehberger\WebhookSignature\WebhookSignature;

// Read the raw request body — do NOT decode it first
$payload   = file_get_contents('php://input');
$signature = $_SERVER['HTTP_X_WEBHOOK_SIGNATURE'] ?? '';
$secret    = 'your-shared-webhook-secret';

if (! WebhookSignature::verify($payload, $signature, $secret)) {
    http_response_code(401);
    exit('Invalid signature');
}

// Signature is valid — process the payload
$data = json_decode($payload, true);

Replay Attack Prevention

By default, signatures older than 300 seconds (5 minutes) are rejected. Adjust the tolerance for your use case:

// Accept signatures up to 60 seconds old
$valid = WebhookSignature::verify($payload, $signature, $secret, tolerance: 60);

// Disable replay protection entirely (not recommended)
$valid = WebhookSignature::verify($payload, $signature, $secret, tolerance: PHP_INT_MAX);

Exception-Based Flow with verifyOrFail()

use PhilipRehberger\WebhookSignature\WebhookSignature;
use PhilipRehberger\WebhookSignature\Exceptions\InvalidSignatureException;
use PhilipRehberger\WebhookSignature\Exceptions\SignatureExpiredException;

try {
    WebhookSignature::verifyOrFail($payload, $signature, $secret);
} catch (SignatureExpiredException $e) {
    http_response_code(401);
    exit('Signature expired');
} catch (InvalidSignatureException $e) {
    http_response_code(401);
    exit('Invalid signature');
}

Key Rotation with Multiple Secrets

When rotating webhook secrets, both the old and new secrets can be accepted during the transition period:

use PhilipRehberger\WebhookSignature\WebhookSignature;

$payload   = file_get_contents('php://input');
$signature = $_SERVER['HTTP_X_WEBHOOK_SIGNATURE'] ?? '';

// Accept signatures signed with either the old or new secret
$secrets = [
    'new-secret-after-rotation',
    'old-secret-before-rotation',
];

if (! WebhookSignature::verifyWithMultipleSecrets($payload, $signature, $secrets)) {
    http_response_code(401);
    exit('Invalid signature');
}

// Signature matched one of the secrets — process the payload
$data = json_decode($payload, true);

Algorithm-Specific Signing

Use signWith() and verifyWith() to sign and verify with SHA-384 or SHA-512 instead of the default SHA-256:

use PhilipRehberger\WebhookSignature\SignatureAlgorithm;
use PhilipRehberger\WebhookSignature\WebhookSignature;

// Sign with SHA-512
$signature = WebhookSignature::signWith($payload, $secret, SignatureAlgorithm::Sha512);

// Verify with SHA-512
$valid = WebhookSignature::verifyWith($payload, $signature, $secret, SignatureAlgorithm::Sha512);

API

Method Description
WebhookSignature::generate(string $payload, string $secret, ?int $timestamp = null): string Sign a payload; returns the formatted t={ts},v1={hmac} header value
WebhookSignature::verify(string $payload, string $signature, string $secret, int $tolerance = 300): bool Verify a signature; returns false if malformed, expired, or invalid
WebhookSignature::verifyOrFail(string $payload, string $signature, string $secret, int $tolerance = 300): void Verify a signature; throws InvalidSignatureException or SignatureExpiredException on failure
WebhookSignature::signWith(string $payload, string $secret, SignatureAlgorithm $algorithm, ?int $timestamp = null): string Sign a payload using a specific algorithm (SHA-256, SHA-384, or SHA-512)
WebhookSignature::verifyWith(string $payload, string $signature, string $secret, SignatureAlgorithm $algorithm, int $tolerance = 300): bool Verify a signature using a specific algorithm
WebhookSignature::verifyWithMultipleSecrets(string $payload, string $signature, array $secrets, int $tolerance = 300): bool Verify against multiple secrets; returns true if any matches (key rotation)
WebhookSignature::parseSignatureHeader(string $signature): ?array Parse a signature header into ['timestamp' => int, 'v1' => string]; returns null on malformed input

Development

composer install
vendor/bin/phpunit
vendor/bin/pint --test
vendor/bin/phpstan analyse

Support

If you find this project useful:

Star the repo

🐛 Report issues

💡 Suggest features

❤️ Sponsor development

🌐 All Open Source Projects

💻 GitHub Profile

🔗 LinkedIn Profile

License

MIT

philiprehberger/php-webhook-signature 适用场景与选型建议

philiprehberger/php-webhook-signature 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 59 次下载、GitHub Stars 达 1, 最近一次更新时间为 2026 年 03 月 13 日, 在 PHP 生态内属于活跃度较高的组件。

它主要适用于以下技术方向: 「security」 「stripe」 「signature」 「webhook」 「hmac」 「sha256」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。

我们在过去多个企业项目中使用过 philiprehberger/php-webhook-signature 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。

围绕 philiprehberger/php-webhook-signature 我们能提供哪些服务?
定制开发 / 二次开发

基于 philiprehberger/php-webhook-signature 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。

BUG 修复 & 性能优化

线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。

项目外包 & 长期维护

承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。

yvsm@zunyunkeji.com QQ:316430983 微信:yvsm316 西安尊云信息科技 · 专注 PHP / Go / 分布式系统研发

统计信息

  • 总下载量: 59
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 1
  • 点击次数: 36
  • 依赖项目数: 0
  • 推荐数: 0

GitHub 信息

  • Stars: 1
  • Watchers: 0
  • Forks: 0
  • 开发语言: PHP

其他信息

  • 授权协议: MIT
  • 更新时间: 2026-03-13