GuardAPI Logo
GuardAPI

Fix Insecure Webhooks in Slim

Insecure webhooks are a low-hanging fruit for attackers. If your Slim application processes incoming POST requests from external services (like Stripe, GitHub, or custom microservices) without cryptographic verification, you're inviting RCE, data tampering, or unauthorized state changes. Relying on IP whitelisting is a rookie mistake that's easily bypassed via spoofing. Real security requires a signed payload and constant-time comparison.

The Vulnerable Pattern

$app->post('/api/webhook', function (Request $request, Response $response) {
    $data = $request->getParsedBody();
    // VULNERABILITY: No signature verification. 
    // Anyone can POST a fake payload to this endpoint.
    $userId = $data['user_id'];
    $db->update('users', ['premium' => true], ['id' => $userId]);
    return $response->withStatus(200);
});

The Secure Implementation

The secure implementation enforces a shared-secret architecture. First, we extract the raw request body; using getParsedBody() can fail if the middleware modifies the data before hashing. We calculate an HMAC-SHA256 hash using a server-side secret. Crucially, we use hash_equals() for the comparison. Standard string comparison (==) is vulnerable to timing attacks, where an attacker can determine the correct signature byte-by-byte by measuring how long the server takes to reject the request. By validating the signature before processing, we ensure the payload's integrity and authenticity.

$app->post('/api/webhook', function (Request $request, Response $response) {
    $signature = $request->getHeaderLine('X-Hub-Signature-256');
    $payload = (string)$request->getBody();
    $secret = $_ENV['WEBHOOK_SECRET'];

if (empty($signature)) {
    return $response->withStatus(401);
}

$computed = 'sha256=' . hash_hmac('sha256', $payload, $secret);

// Use hash_equals to mitigate timing attacks
if (!hash_equals($computed, $signature)) {
    return $response->withStatus(403);
}

$data = json_decode($payload, true);
$db->update('users', ['premium' => true], ['id' => $data['user_id']]);
return $response->withStatus(200);


});

System Alert • ID: 2434
Target: Slim API
Potential Vulnerability

Your Slim API might be exposed to Insecure Webhooks

74% of Slim apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X