undefined | Better HN

0 pointsrryan12y ago0 comments

Yes! This is the only part of Stripe's API that I raised an eyebrow at. I think it's a little irresponsible to send all the data via web-hook without providing a way to verify it came from Stripe.

At the very least they should only provide the event ID over webhook otherwise people will take the lazy route and trust trivially forgeable messages.

0 comments

2 comments · 1 top-level

pc12y ago· 1 in thread

> I think it's a little irresponsible to send all the data via web-hook without providing a way to verify it came from Stripe.

Well, as zrail said, you can trivially verify it by fetching the associated event from Stripe and ignoring the webhook body.

We've debated this ourselves, though. While you can theoretically get good security with a combination of SSL and a shared secret in the URL, it's a bit ungainly, and we should perhaps encourage the right thing more straightforwardly by dropping the body from the POST.

rryanOP12y ago

You can trivially verify it by doing more work (a web request to Stripe) or you could just take the lazy route and trust the data that came with the callback.

I did it the way zrail suggested but laziness typically wins especially if you aren't even aware of the reasons you might want to do it the way zrail suggested.

I'm for making the right way the only way (or at least the default way).

j / k navigate · click thread line to collapse