We should check X-Hub-Signature to make sure the request was sent by Facebook.
This is my code example (using Yii2 framework)
$raw = file_get_contents("php://input");
// ....
$signature = Yii::$app->request->headers->get('X-Hub-Signature');
if (empty ($signature)) {
throw new NotFoundHttpException();
}
$appSecret = Yii::$app->params['facebook_secret'];
$shaAppSecret = hash_hmac('sha1', $raw, $appSecret);
if ("sha1=".$shaAppSecret == $signature) {
// Process message
} else {
// Process when someone fake the request.
}If we don't implement this, somebody can fake the request to make some spam message.
Please add it to your code for all dev reference.
We should check X-Hub-Signature to make sure the request was sent by Facebook.
This is my code example (using Yii2 framework)
If we don't implement this, somebody can fake the request to make some spam message.
Please add it to your code for all dev reference.