Riddle’s webhooks are a great way to process all the data generated by a Riddle on your own servers. But you need to be aware of mischievous users who might want to misuse the webhook to send altered data to your endpoint.

Fortunately – we’ve got you covered.

Quiz webhook signatures – use case

Just imagine the following scenario:

  • You run a quiz on your site and you want to make sure that only entries from the official riddle.com servers can be sent to your your own database.
  • We’ve got you covered – you can use our nifty webhook signatures to secure the data transfer from riddle to your database.
  • With these signatures you can be sure that the data’s origin is riddle.com + the data was not tampered with.
  • Without validation tech-savvy users could simply change the data that’s being sent to your site and could change their results that way.

How to add webhook signatures

This is now possible with our new secret webhook signatures key – which can be found under Account > Signature.

To help you getting started we’ve created the following snippet – please make sure to replace the key below with your generated secret signature key.

IMPORTANT: please make sure to use PHP version 5.6 or higher

<?php

$privateKey = 'YOUR SECRET KEY'; // found under Account > Signature
$receivedSignature = $_SERVER['HTTP_X_RIDDLE_SIGNATURE_2'] ? 
    $_SERVER['HTTP_X_RIDDLE_SIGNATURE_2'] : null;

if (!$receivedSignature) {
    \http_response_code(403);
    die('Access denied - did not receive any signature.');
}

$data = \file_get_contents('php://input');
$generatedSignature = \hash_hmac('sha256', $data, $privateKey);

if (!\hash_equals($generatedSignature,$receivedSignature)) { // the signature does not match - reject this webhook
    \http_response_code(403);
    die('Access denied - invalid signature. received: ' . $receivedSignature . ', generated: ' . $generatedSignature);
}

// do anything - the signature matches and you can be sure that the data is from riddle.com
echo 'SIGNATURE CHECK SUCCEEDED!';

Feel free to implement this kind of validation with any other programming language.

Any questions about webhook signatures?

If you run into any problems, feel free to ask us using support chat (we’re lightning fast to reply) or email (hello@riddle.com).

Seriously, we’ve been big quiz (and customer support geeks) since 2014 – we all love to help.

Leave a Comment

Scroll to Top