Fix Insecure Webhooks in Laravel

Webhooks are essentially unauthenticated POST endpoints exposed to the public internet. If you aren't verifying the payload signature, you're handing an attacker a remote code execution or logic bypass primitive. Blindly trusting the 'user_id' or 'action' in a request body allows for trivial spoofing. To secure Laravel webhooks, you must implement HMAC (Hash-based Message Authentication Code) verification using a shared secret.

The Vulnerable Pattern

public function handleWebhook(Request $request)
{
    // VULNERABLE: No signature verification. 
    // Anyone can POST to this endpoint.
    $data = $request->all();
    $order = Order::find($data['order_id']);
if ($data['status'] === 'paid') {
    $order->markAsPaid();
}

return response()->json(['status' => 'success']);
}

The Secure Implementation

The secure implementation introduces three critical layers: 1. Raw Content Access: We use $request->getContent() because the signature is generated against the raw body, and Laravel's $request->all() can be modified by middleware. 2. HMAC-SHA256: We compute a local hash of the payload using a shared secret. 3. Constant-Time Comparison: We use hash_equals() instead of '==' to mitigate timing attacks that could leak the signature byte-by-byte. Always store your webhook secret in an encrypted environment variable, never hardcoded.

public function handleWebhook(Request $request)
{
    $signature = $request->header('X-Payload-Signature');
    $secret = config('services.webhook.secret');
    $payload = $request->getContent();
if (!$signature) {
    abort(401, 'Signature missing');
}

$computedSignature = hash_hmac('sha256', $payload, $secret);

// Use hash_equals to prevent timing attacks
if (!hash_equals($computedSignature, $signature)) {
    abort(403, 'Invalid signature');
}

$data = json_decode($payload, true);
$order = Order::findOrFail($data['order_id']);
$order->markAsPaid();

return response()->json(['status' => 'verified']);
}