On the off chance anyone else is wrestling with this, while I know how Ghost calculates the hash based on a secret to be passed via webhook header, and I’m using the same algorithm, I still can’t get it to match up with the hash being passed in the X-Ghost-Signature webhook header.
Does anyone know what Ghost is hashing? I had assumed it was everything from to tags in the payload, but it seems like that is wrong.
The signature includes a timestamp, you’ll need to strip it:
You can set a webhook secret. Here’s how the secret is generated (tldr: hmac of the request payload signed with the shared secret):
Issue Title: Unable to Verify Ghost Event Using Webhook
I am currently working on integrating webhooks from my Ghost website into my server, and I’m having trouble understanding how to verify that the events received by my server are indeed from my Ghost website and not from a potential malicious source.
I have set up webhooks in my Ghost website to notify my server of certain events such as new post creation, but I’m not sure how to implement authentication o…
Thanks for that. It’s a weird process, even if I can’t why it’s not easy to standardize.