Mandrill Webhoocks - Security

Mandrill's signature is located in the HTTP response header: Authenticating-webhook-requests

In the request header find: X-Mandrill-Signature. This is a base64 of the hashcode, signed using web-hook key. This key is secret to your webhook only.

We have a range of IPs used for webhooks, but they can (and likely will) change or have new ones added as we scale. An alternative would be to add a query string to the webhook URL you add in Mandrill, and then check for that query string when a POST comes in so you can verify it's coming from Mandrill.

Just replace the constants and use this function:

<?php 

function generateSignature($post)
    {
        $signed_data = WEB_HOOK_URL;
        ksort($post);
        foreach ($post as $key => $value) {
            $signed_data .= $key;
            $signed_data .= $value;
        }

        return base64_encode(hash_hmac('sha1', $signed_data, WEB_HOOK_AUTH_KEY, true));
    }

//---

if (generateSignature($_POST) != $_SERVER['HTTP_X_MANDRILL_SIGNATURE']) {
    //Invalid
}

?>