GuardAPI Logo
GuardAPI

Fix Insecure Webhooks in CodeIgniter

Webhooks are the 'soft underbelly' of modern CodeIgniter 4 apps. If you aren't verifying signatures, you're essentially providing an unauthenticated gateway for IDOR or state-manipulation attacks. Stop trusting the internet; start verifying payload integrity using HMAC. If it's not signed, it's not real.

The Vulnerable Pattern

public function handleWebhook() {
    // VULNERABLE: Direct consumption of input without verification
    $data = $this->request->getJSON(true);

// Attacker can spoof this payload to mark any order as paid
$orderId = $data['order_id'];
$this->orderModel->update($orderId, ['status' => 'completed']);

return $this->response->setStatusCode(200);


}

The Secure Implementation

The secure implementation enforces a Shared Secret architecture. By using `hash_hmac`, we ensure the payload hasn't been tampered with in transit and originates from a trusted provider. Crucially, we use `hash_equals` for the comparison to prevent timing-based side-channel attacks, and we operate on the raw `getBody()` to ensure the hash matches exactly what the provider signed, avoiding issues with JSON re-serialization.

public function handleWebhook() {
    $secret = env('WEBHOOK_SECRET');
    $signature = $this->request->getHeaderLine('X-Hub-Signature-256');
    $payload = $this->request->getBody();

if (empty($signature)) {
    return $this->failUnauthorized('No signature provided');
}

// Compute HMAC SHA256 using the raw request body
$expectedSignature = 'sha256=' . hash_hmac('sha256', $payload, $secret);

// Use hash_equals to mitigate timing attacks
if (!hash_equals($expectedSignature, $signature)) {
    log_message('critical', '[SECURITY] Webhook signature mismatch from ' . $this->request->getIPAddress());
    return $this->failUnauthorized('Invalid signature');
}

$data = json_decode($payload, true);
$this->orderModel->update($data['order_id'], ['status' => 'completed']);

return $this->response->setStatusCode(200);


}

System Alert • ID: 4351
Target: CodeIgniter API
Potential Vulnerability

Your CodeIgniter API might be exposed to Insecure Webhooks

74% of CodeIgniter apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X