Generate a SHA1 signature using the payload and your app’s App Secret. Compare your signature to the signature in the X-Hub-Signature header (everything after sha1=). If the signatures match, the payload is genuine. Please note that we generate the signature using an escaped unicode version of the payload, with lowercase hex digits.
https://developers.facebook.com/docs/graph-api/webhooks/getting-started