Menu
My ruby-on-rails application uses stripe for card payments. Stripe has a provision of webhooks through which it contacts back to my application and gives details about every transactions - succeeded or failed.
For this, I have in my controller something like this:
class StripeController < ApplicationController
def webhook
data_json = JSON.parse request.body.read
p data_json['data']['object']['customer']
end
My question is how can I validate the authenticity of this webhook? To my knowledge and understanding one can easily imitate this (man-in-the-middle attack).
368
Webhooks support two types of authentication: basic and bearer token. Both types of authentication should only be used over HTTPS (TLS). Although not recommended, it's also possible to create a webhook without authentication. To do this, omit the authentication property from the request.
From Stripe's webhooks documentation:
If security is a concern, or if it's important to confirm that Stripe sent the webhook, you should only use the ID sent in your webhook and should request the remaining details from the Stripe API directly.
84
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
