Hello,

Working on my Front Admin certification and this is my contribution to the community. I haven’t seen many PHP integrations and wanted to share how I am verifying the Front signature.

<?php

define('FRONT_WEBHOOK_API_KEY', 'xxxxxxxxxxxxxxxxxxxxx');

/**
 * Verify Front rule webhook request function
 *
 * Calculates the base64 encoded HMAC hash of the request body (payload) using SHA1 algorithm and the Front API key.
 * Compares the hash to the X-Front-Signature header to verify the request is from Front.
 * 
 * @since 1.0.0
 *
 * @param string $payload Request body.
 * 
 * @return bool true if verified, otherwise false.
 * 
 * @link https://dev.frontapp.com/docs/webhooks-1#configure-rule-webhooks
 */

function is_valid_front_webhook($payload)
{
    if (isset($_SERVERE'HTTP_X_FRONT_SIGNATURE'])) {
        $hexHash = hash_hmac('sha1', $payload, mb_convert_encoding(FRONT_WEBHOOK_API_KEY, 'UTF-8'));
        $base64Hash = base64_encode(hex2bin($hexHash));
        return hash_equals($_SERVERE'HTTP_X_FRONT_SIGNATURE'], $base64Hash);
    } else {
        return false;
    }
}

/* Usage - Verify webhook is from Front */

$payload = file_get_contents('php://input');

if (!is_valid_front_webhook($payload)) {
    header('HTTP/1.1 403 Forbidden');
    die('<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don\'t have permission to access this resource.</p>
</body></html>');
}

?>