Fixing Webhook Signature and Timestamp Mismatch in Cashfree Payment Integration for WordPress Plugins

  • Posted on July 2, 2025
  • /Under General

When integrating Cashfree Payment Gateway webhooks in a custom WordPress plugin, one common issue developers face is a mismatch in signature and timestamp during verification. If you’ve encountered errors like “Signature Mismatch” or “Invalid Timestamp,” you’re not alone!

In this post, I’ll walk through the problem and show you how I resolved it with a simple change in how headers are read from the webhook request.

🔍 The Issue: Signature and Timestamp Mismatch

Initially, my custom plugin fetched webhook headers like this:


$received_signature = $request->get_header('x-cf-signature');
$received_timestamp = $request->get_header('x-cf-timestamp');

However, when Cashfree sent live webhook requests, the values did not match the expected ones used for signature validation.

After debugging, I found that the webhook requests were not using lowercase headers, but instead used capitalized header names:


$received_signature = $request->get_header('X-Webhook-Signature');
$received_timestamp = $request->get_header('X-Webhook-Timestamp');

✅ The Solution: Use Correct Header Names

To resolve the mismatch issues, update your code like this:


$raw_post_data = $request->get_body();
$received_signature = $request->get_header('X-Webhook-Signature');
$received_timestamp = $request->get_header('X-Webhook-Timestamp');

This change ensures your webhook validation works as expected.

🔐 Why This Matters

Cashfree (like many other gateways) signs their webhook requests to verify authenticity. If the signature doesn’t match, it’s likely because:

  • Headers were not read with the correct case
  • The raw body was altered or not captured properly
  • Timestamp wasn’t passed accurately

By ensuring header names match exactly as sent by Cashfree, you avoid validation failures.

🧪 Debugging Tip

If you’re unsure about the actual headers received, log them using:


error_log(print_r($request->get_headers(), true));

This will output all headers to your PHP error log, helping you confirm header formats.

📌 Final Notes

  • Always use exact casing for headers when validating webhooks.
  • Log headers during debugging for clarity.
  • Keep your plugin code updated in case Cashfree changes their header structure.

Have you faced similar issues? Feel free to share in the comments and let’s help each other out!

Written by Bala Krishna

Bala Krishna is web developer and occasional blogger from Bhopal, MP, India. He like to share idea, issue he face while working with the code.