Stripe webhook: What privacy rules?

jayy · 2022-12-10T07:32:59.618Z

I’m listening to Stripe events (namely checkout session completed) via a webhook (i.e. backend workflows).

Is it okay to check all these boxes? Any security/privacy concerns? Thanks!

I’m afraid if i disable one of these, something might not work.

lindsay_knowcode · 2022-12-10T13:29:24.255Z

EDIT Authentication does need to be switched off (as you have to use other other methods to secure the endpoint with Stripe Webhooks)

This post discusses it http://forum.bubble.io/t/stripe-webhook-in-bubble-big-vulnerability-to-all-apps-that-use-them/134030/27

You have to find out what you are personally comfortable with, and balance effort to implement vs what the risks are.

For me - checking the source IP addresses matches any of Stripes IP addresses is low effort to implement and reduces a lot of risk …

Good luck!

jayy · 2022-12-11T01:19:45.547Z

Thanks guys. I disabled the 2nd checkbox and the webhook failed.

It seems that I need to enable authentication, but I can’t find info on how to do this. Do you know of any writeup on this? Thanks!

image530×690 53.2 KB

adamhholmes · 2022-12-11T01:31:44.763Z

As I’m sure @lindsay_knowcode meant to say (and as you’ve discovered for yourself), the ‘This workflow can be run without authentication’ box must be checked for a Stripe webhook to work (not unchecked)…

So it’s up to you to validate the webhook on your end using the Stripe signature provided in the webhook header:

Check the webhook signatures | Stripe Documentation

lindsay_knowcode · 2022-12-11T06:42:21.452Z

Whoops typo … sorry about that … cheers @adamhholmes

jayy · 2022-12-12T01:41:27.590Z

oh right, thanks for that! so all 3 checkboxes need to be ticked to work properly, but we need to validate the webhook manually in the workflow.

boston85719 · 2023-03-29T16:57:02.536Z

Was just setting up some webhooks for first time in a long time and had the errors.

After reading the forum threads, and deciding I don’t want to authenticate the way Stripe suggests with their own libraries etc. (I’m a NoCoder for Apps Sake!); I decided I will add a bit of metadata to my checkout session API calls that will be the ‘api token’ that I create. The metadata parameters will be private (ugghhh I wish I could be my four year old son who whipped it out on in the middle of the restaurant to relieve himself, and not have to worry about Privacy Concerns).

When I have the webhook, I will in the backend workflow first verify that the metadata api key matches the value…if not, TERMINATE WORKFLOW!

cdorozco16 · 2023-08-17T18:19:58.320Z

How are you hiding the token you send from the user’s client during the checkout session?