Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check the IP of incoming webhook requests #193

Open
loicginoux opened this issue Feb 23, 2023 · 2 comments
Open

Check the IP of incoming webhook requests #193

loicginoux opened this issue Feb 23, 2023 · 2 comments
Labels
enhancement New feature or request
Milestone
v5.1

Comments

@loicginoux
Copy link
Contributor

Desired Behavior

events received via webhooks should verify that it's coming from a Stripe server for security reason before processing/handling it.
https://stripe.com/docs/ips
@loicginoux loicginoux added the enhancement New feature or request label Feb 23, 2023
@waiting-for-dev
Copy link
Contributor

Thanks, @loicginoux. I hadn't thought about that, and having an extra layer of security is good. Although, technically, as we're checking the event signature, we should be safe.

@loicginoux
Copy link
Contributor Author

I'd say that's not a must have for the first release but still necessary. Checking signature is not enough if an employee steal the api key and send events to your webhook endpoints making it like it's coming from Stripe.

@elia elia changed the title implement an ip whichlist Check the IP of incoming webhook requests Mar 7, 2023
@elia elia added this to the v5 milestone Mar 8, 2023
@elia elia modified the milestones: v5, v5.1 Apr 27, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
v5.1
Development

No branches or pull requests
3 participants
@elia @waiting-for-dev @loicginoux