Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to ensure security in Stripe webhooks?

Tags:

php

stripe-payments

webhooks

I would be creating Stripe web hooks and want to know how to ensure security such that only Stripe can access my URL?

I am using Laravel with the Stripe library.

like image 657
sameer shaikh Avatar asked Feb 03 '15 09:02

sameer shaikh

2 Answers

As noted in the documentation:

If security is a concern, or if it's important to confirm that Stripe sent the webhook, you should only use the ID sent in your webhook and should request the remaining details from the Stripe API directly. We also advise you to guard against replay-attacks by recording which events you receive, and never processing events twice.

In other words, there's no way to confirm where a request came from. As such, don't trust any of its data, except for the id of any given item. You then contact the Stripe API yourself, asking for the item with the given id. This way you know where you're getting your data from, and the webhook call essentially just becomes a notification letting you know you should check in with the API.

like image 71
deceze Avatar answered Nov 12 '22 23:11

deceze

Actually you can limit the access to your webhooks only to the Stripe IPs. That's why Stripe have a list of webhooks ips updated.

https://stripe.com/docs/ips

I just did it for a project using Laravel and Stripe. You can do something like:

//Only accept connections from stripe ips.


    //Save stripe info for 24 hours for performance.
    $stripe_webhooks_ips = Cache::remember('stripe_webhooks_ips', 1440, function()
    {
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_URL, 'https://stripe.com/files/ips/ips_webhooks.json');
        $result = curl_exec($ch);
        curl_close($ch);

        $json_result = json_decode($result,true);

        return $json_result['WEBHOOKS'];
    });



    if(in_array($_SERVER['REMOTE_ADDR'],$stripe_webhooks_ips)) {
        //Your Code Here.
    }

About the security of the remote_addr variable: Is it safe to trust $_SERVER['REMOTE_ADDR']?

Remember to take extra measures to get the origin ip if you are behind a proxy or a CDN service like Cloudfare, etc.

like image 40
Carlos Devia Avatar answered Nov 13 '22 01:11

Carlos Devia
Sign in to Comment

Related questions

Symfony2 - Show all tables from database
Routing to Controller fails in Laravel 4
Magento get all products in a certain category ordered by the 'Position' field
SELECT FOUND_ROWS() return 1 in mysql
Is it okay to use string as your ID in a MySQL table?
How to merge column in Excel using PHPExcel
Get end value of multidimensional array
php - Get compressed contents using cURL
PHP source code in UTF-8 files; how to interpret properly?
Column Name Conflict on Laravel 4 Fluent Query Builder
Google Distance Matrix JSON shortest path (PHP)
Cannot download composer - 1and1 with ssh access to server
Angularjs - File upload with php
MySQL Query Order By Value in JSON Column
Symfony2 Monolog configure to use raven handler (Sentry)
Patchwork\Utf8\Bootup causing problems with Laravel 4
Laravel 4: Eloquent relationship get all data
PHP foreach loop to populate dropdown list with values from an array of arrays
Redirect with PHP after ajax call
Cancel Subscription At Period End

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!