Protect php script that receive paypal IPN notifications

Question

In my website, I've integrated a php script that receive an IPN notification and send a license key to the customer. This script is in a folder with other 2 php files required by the php script... How can I protect this folder? If I place in it an .htaccess with:

order allow,deny
deny from all

I block the paypal notifications too.

How can I protect it? Do I need to?

Answer 1

You can safely limit access to your IPN script only to the following list of IP addresses:

216.113.188.202
216.113.188.203
216.113.188.204
66.211.170.66

This can be done in the following way:

if (!in_array($_SERVER['REMOTE_ADDR'],array('216.113.188.202','216.113.188.203','216.113.188.204','66.211.170.66')) {
header("HTTP/1.0 404 Not Found");
exit();
}

In this way ONLY Paypal will be able to access the IPN script.

This list of IP address has been rather stable for years. In case if Paypal adds a new address, you can add reporting to email and review such cases manually.

Answer 2

There are many things you can do:

1. Give your script an obscure name so that it is not easily guessable.
2. Disable directory listings in the folder
3. Check if the calling site is paypal.com (or related IP address etc.)