Passing csrf token to Stripe

Question

I am using stripe.js for stripe payments. I need to setup a callback wenhook to receive the request from stripe.

Since the webhook is posted to by stripe - I have marked it as csrf_excempt.

1. Is there any risk with making this view csrf_excempt?
2. If I should have csrf protection on this view, how can I pass and get back the csrf tokens from stripe?

Answer 1

That's not going to work. Definitely disable csrf for the callback from Stripe.

Even if you..

• passed the csrf_token to stripe
• found a way to get stripe to post that same token back to your callback URL

The token would be irrelevant at that point as the token is for your current browser session only (typically a cookie).

The CSRF token is generated upon every request and sent to the browser to be stored in a cookie. Stripe will not have this cookie and thus you'll get a CSRF Error just the same.