Sorry I was confused by the Global use of return data in custom event. I thought that was somehow secured by server side checks. Didnât realize it just was used to show errors if the condition didnât evaluate to yes.
If you are not interested in API connector or APP connector, consider revisiting this post
Would definitely help the community for @georgecollier to give a numeric list of the suggestions he feels improve the app.
Rando, the parrot said you do not know what you are talking aboutâŚfunny how parrots repeat things they hear.
I went ahead and asked Chat GPT for a more detailed and refined answer. Basically, it said âSimple IP spoofing of HTTPS/TCP traffic is impractical. It says an attacker must complete a 3-way handshake which they can not do if they canât receive packets at the spoofed IP. So naive spoofing of an HTTPS webhook IP is generally not possible.
What was great though Rando about your comment, is it led me to find out something I didnât know and nobody else has mentioned here around security related to Stripe.
Recommended approach
- Always verify Stripeâs webhook signature (the Stripe-Signature Header) using the webhook signing secret from your Stripe Dashboard. This is an HMAC (SHA256) of the payload.
- Use timestamp tolerance/replay protection. Reject requests whose timestamp in the signature header is older than around 5 minutes.
- Require HTTPS
- Use IP allow list as a secondary control only.